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ABSTRACT 


The Royal Saudi Naval Forces (RSNF) are vulnerable to the same kinds of threats 
to its information infrastructure as the rest of the industrialized nations. As an officer in 
the RSNF, I am familiar with the special information assurance needs and interests of my 
organization, and thus, I am in a position to leverage my formal Information Technology 
Management (ITM) education to address these needs. The United States has played a 
prominent lead role in establishing many educational curriculums in the area of 
information assurance (lA). Though the breadth and depth of educational curriculum and 
resource materials (i.e., universities, certification programs, computer-based training, 
Web content, etc.) is impressive; the shear volume can be overwhelming and intimidating 
to the novice. 

What is needed is a methodical survey of the main lA themes that are currently 
emphasized by the most prominent and respected institutions offering lA training and 
education. This survey needs to be cross-referenced to identify core areas, and any other 
didactic information (e.g., models, rules, best practices, etc.) that might prove useful in 
developing final training products for the RSNF. 
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I. INTRODUCTION 


Rapid advances in Information and Communication Technology have a profound 
effect on our Navy. Information is becoming the most important factor. Militaries in 
general are becoming increasingly dependent on computer technology for every facet of 
their operations in today’s information technology environment. Information security is 
critical to the success of the RSNF, and achieving this security is greatly dependent on 
each user’s awareness and behavior along with a thorough understanding of the risks to 
which our information assets may be subjected. This awareness is a necessary starting 
point for the development of a successful information security training program. The 
constant development and deployment of new viruses and worms, the abundance of 
Internet attacks, and the occasional system abuse by authorized users, all require the user 
to be knowledgeable and attentive. In the RSNF, computer systems and resources are 
used every day to complete mission critical tasks. Thus, it is important for us to 
understand the risks of allowing end users who are not aware of computer security 
considerations to operate these systems, resulting in potential exploitation by our 
enemies. The critical role that awareness plays in this environment has been championed 
extensively in Information Assurance literature. This excerpt from Native Intelligence Inc 
website is representative of such sentiment: 

Security apathy and ignorance are the biggest threats to computer systems. 

. . . And the best way to achieve a significant and lasting improvement in 
computer security is not by throwing more technical solutions at the 
problem — it's by raising awareness training and educating all computer 
users in the basics of computer security. 

With the growth of the Internet and the potential increase of utilizing Internet 
technologies inside the RSNF, more and more computing resources have become 
connected to networks that can potentially be reached from both outside and inside the 
Navy’s system infrastructure perimeter. Simply stated, as connectivity increases, the risk 
of attack on our networks increases. When we are dealing with information security 
specifically, though, there are three issues influencing the need for an Information 
Security Awareness Training Program that stand out for their clear agreement: 
confidentiality, integrity, and availability (CIA). Information can reasonably be called 
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secure when these three properties are present. In theory, the goal of this Information 
Security Awareness Training Program is straightforward. The goal is to minimize the risk 
associated with the use of the Navy’s systems and computers by addressing the two 
constituent components of risk: threats and vulnerabilities, this training program will 
focus on the “safeguards” component of risk reduction; specifically, their selection and 
employment to protect the confidentiality, integrity and/or availability of the Navy’s 
systems. Addressing the risks, threats and vulnerabilities, and applying the safeguards 
learned from this course will leave us with the portion of risk remaining after security 
measures have been applied or what is known as residual risk. The relationship between 
these three key elements can be represented in a formulated way as follows: 

Risk = Threats x Vulnerability 

Residual Risk = Risk - Safeguards 

Therefore: Residual Risk = (Threats x Vulnerabilities) - Safeguards 

This thesis will research various prominent computer security training programs 
that are already in existence, and will then suggest a composite program customized to 
meet the needs of the Royal Saudi Naval Forces. RSNF and the other branches of the 
Ministry of Defense and Aviation (MODA) cannot protect the confidentiality, integrity, 
and availability of information in today’s highly networked system environment without 
ensuring that each person involved understands their responsibilities within the RSNF 
and is sufficiently trained to perform them. 

Chapter II of this thesis will present an introduction to security awareness training 
programs, in general, and then continue to argue why such programs are important to the 
Saudi Navy. In the final section of Chapter II, I will identify the intended target audience 
of this course; i.e., who should be trained in computer security. In Chapter III, I will 
present the outcome of my analysis of the various existing programs, followed by my 
assessment of their application for the RSNF. Chapter III will also develop the awareness 
training plan and strategy then conclude with the awareness training topics selection 
criteria that will fit the needs of RSNF. Chapter IV will propose the awareness training 
material for the ISTAP and then cover the implementation plan for the proposed program 
along with how it will be delivered to the target audience. Chapter V will conclude this 
thesis and provide some recommendations for further research on this topic. 
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II. COMPUTER SECURITY AWARENESS AND TRAINING 

PROGRAMS 


This chapter provides an overview of the information seeurity awareness and 
training programs, and answers the question of why sueh programs are important to the 
RSNF. This ehapter also addresses who should be attending these programs in the Saudi 
Navy. 


A, WHAT EVERYONE NEEDS TO KNOW 

There is an old saying that a ehain is only as strong as its weakest link. While 
organizations around the world regularly employ the use of powerful firewalls, antivirus 
software and sophistieated intrusion-detection systems to safeguard valuable information 
assets, they often pay too little attention to the most important and vulnerable security 
component: the human part. In virtually every aspeet of our lives that entails the 
operation of sophisticated teehnology, we have to be eertified in some way or another. 
Whether we drive a ear or repair an aireraft, we need some kind of knowledge-validating 
eertifieate, yet we are free to use eomputers and the various networks within the Navy 
without any sort of training and eertifieation on the seeurity aspeets and potential risks 
assoeiated with their use. When these assets are attacked, damaged or threatened, the 
eonfidentiality, integrity and availability (CIA) of our data and the proper operation of the 
RSNF may be interrupted. 

The eause of interruptions ean range from errors affeeting information integrity to 
viruses destroying entire eomputer eenters. Losses ean vary, for example, from the 
aetions of apparently trusted employees defrauding a system, from outside haekers, or 
from eareless data entry elerks. Precision in estimating eomputer-related information 
losses is not possible beeause many losses are never discovered, and others are 
intentionally buried to avoid unfavorable publieity. The effects of various threats vary 
eonsiderably, yet all effeets ean ultimately be elassified into one or more of the three 
seeurity attributes of information: eonfidentiality, integrity or availability. 
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The Royal Saudi Naval Force strives to make resources readily available to all 
employees, from commanders to data entry clerks, in a developmental environment 
where data sharing is essential for conducting daily businesses. Promoting a secure 
computing strategy may seem difficult. Computer networks present a new set of 
challenges to administrators and technical support personnel for providing a secure 
working environment. Today, information security is a much bigger issue and the context 
is difficult to define. The dangers are real with threats that multiply and divide. The 
threats come from both insiders and outsiders, feeding off vulnerabilities that are inherent 
in the technology and the users. It is intimidating for technical support personnel in the 
RSNF, who quite often have other professional responsibilities, to identify, quantify, and 
justify the measures necessary to maintain a safe and secure network installation. We can 
make tremendous progress toward achieving a more secure computing environment by 
drafting and enforcing a thorough security policy and educating our personnel to both 
understand and follow its mandates via an effective awareness training program. 

Since security is everyone's responsibility, RSNF personnel need to know what 
threats they are facing and what they can do to diminish those threats. We have to make 
sure that everybody within the RSNF understands the value of their information assets 
and the tools that will help them protect it. We need to change the way we think and act, 
so that security is not an add-on, but rather an integral part of our daily use of all 
information systems and networks. What we need exactly is a move toward a 'culture of 
security'. [1,3] 

1, What Resources Are We Trying to Protect? 

A basic goal of Information Security Awareness Training Programs is to reduce 
vulnerabilities in our RSNF Information Infrastructure by promoting widespread 
education in computer security and to protect resources and assets from loss. Resources 
may include the following. 

a. Information 

Information systems have not been designed to be secure. The security 
that can be achieved through technical means is limited. Recently, there has been an 
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increase in the awareness for the need within government ageneies to proteet sensitive, 
proprietary and secret information. Proper understanding of the importanee of 
information in our world, offers the following: 

The world isn’t run by weapons anymore, or energy, or money. It’s run by 
little ones and zeros, little bits of data. It’s all just eleetrons.... There’s a 
war out there ... and it’s not about who’s got the most bullets. It’s about 
who eontrols the information. What we see and hear, how we work, what 
we think, it’s all about information [Cosmo from the Movie ‘Sneakers’]. 

In many instanees, what we are trying to proteet is information. In today’s 
“information age”, information is vital and has a huge value. This value could be defined 
or it eould be pereeived. The fundamental prineiples of information seeurity are 
eonfidentiality, availability and integrity. We must look at eaeh of these prineiples and 
relate them to our training program objeetives. 

b. Services 

This includes systems and applieations, beeause new exploits are written 
every day, and beeause not all of them involve viruses and buffer overflows, we should 
pay attention to the applieations and whether their seeurity patehes are eurrent or not. 


c. Equipment 

Equipment ineludes eomputers and networking eomponents, and in 
partieular, eomputer eonsoles and sensitive network equipment sueh as routers, hubs and 
switches. One example is eomputer thefts. The loss of equipment ean result in finaneial 
loss to the RSNF, but it ean also have serious effeets if the data lost with the equipment 
had not been baeked up in a timely manner or was sensitive to diselosure. 

2, Against What 

The growing eomplexity of seeurity threats ereates new issues for enterprise 
managers to deal with as they try to proteet themselves. A threat is defined as “any 
eireumstance or event with the potential to eause harm to an information system in the 
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form of destruction, disclosure, adverse modification of data, and/or denial of service 
[NSTISSI 4009]”. When facing the issue of security, it is important to understand exactly 
what are we trying to protect. Information is the RSNF’s and every organization’s most 
important asset and must be protected from unauthorized access. Figure 1 introduces a 
layout that can be used to divide security threats into different areas. 


Security Threats 



Physical threats 



Malicious threats 


Physical environment 

1 

Fire 

Flood 

Power Loss 


Unintentional threats 



Malfunction Human Error 

1 i 


Spamming 



Snooping 


Spoofing 


Scanning 


Digital snooping 
Shoulder surfing 


E q uip me nt Malfun cii on S e qu enti al sea nni ng 

Software Malfundion Trap door (Bad< door) Dictionary scanning 

User/Operator Error 


Malicious software 

i 

Viruses 
Worms 
Trojan horses 


Figure 1. Different Areas of Security Threats. 

a. Malicious Threats 

Malicious threats usually come from non-employees (i.e., outsiders) or 
disgruntled employees (i.e., insiders) who have an adverse goal or objective to achieve, 
and are in a position to exploit one or more security vulnerabilities. Malicious attacks 
vary in their targets, methods, and motives but are usually covert acts by individuals who 
wish to harm the system or prevent others from using it. Hackers disrupt normal business 
operations by exploiting a business' vulnerabilities. They use various techniques, 
methods, and tools to accomplish this. We need to understand the various aspects of 
security to develop measures and policies to protect our assets and limit their 
vulnerabilities. 

The correct term to use for someone who maliciously breaks into systems 
is “cracker.” Common methods for gaining access to a system include password cracking, 
exploiting known security weaknesses, network spoofing and social engineering. 
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Malicious attackers normally will have a speeifie goal, objeetive, or motive for an attaek 
on a system. These goals eould be to disrupt services and the eontinuity of business 
operations by using denial-of-serviee (DoS) attaek tools. They might also want to steal 
information or even steal hardware sueh as laptop eomputers or Personal Digital 
Assistants (PDAs). 

b. Unintentional Threats 

Unintentional threats can range from a user who aoeidentally deletes 
important operating system files to loading unauthorized software that has a virus. 
Greater precautions must be taken for users with aeeess to data that are more sensitive. 
An example of a non-malieious attaek is when an employee eopies games from a diskette 
onto a loeal hard drive and then runs the exeeutables. If any of the games eontain a virus 
or Trojan horse, and the organization has not yet deployed any anti-virus software, 
employees will begin to notiee strange and unforeseen events oeeurring on their 
eomputers, causing disruption of services and possible eorruption of data. 


c. Physical Threats 

Physieal seeurity, an integral part of proteeting data, is vital in a balaneed 
seeurity program. Physieal seeurity involves proteeting offiees eontaining eomputers and 
related equipment from environmental threats (e.g., fire and flood), physieal threats from 
people, and various other forms of equipment and environmental eontamination. Physieal 
seeurity is one of the most important aspeets of eomputer seeurity. It is also one of the 
most often overlooked aspeets. Physieal security also deals with proteeting our systems 
from intruders who use or attempt to gain physieal aeeess to the system to conduet 
exploitation via technieal means (e.g., eapturing password files or installing a login- 
eapturing artifiee). 


B, WHY IS ISATP IMPORTANT FOR THE RSNF 

Awareness and training plays an important role in achieving the RSNF goal of 
eomputer seeurity. Providing periodie information security awareness training to 
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employees who are involved in the management, use, or operation of eomputer systems 
under their eontrol is eritieal. The training objeetives are to enhanee employee awareness 
of the threats and vulnerabilities to their eomputer systems; and to promote the use of 
improved eomputer seeurity praetiees within the Navy. The RSNF Information Seeurity 
Awareness Training Program (ISATP) is a tool to edueate RSNF personnel on their 
responsibility to proteet the eonfidentiality, availability and integrity of information and 
information proeessing systems. We need to understand that information seeurity is not 
just a technology concern. We should give equal attention to human management and the 
security behavior of employees, and we will strive to build a better information security 
awareness and training program throughout the RSNF that is based on the principles 
described later in this thesis. 

Obviously, information security has to be improved upon if we are to properly 
protect the RSNF’s valuable information assets. Until now, however, most of the focus 
on solving RSNF information security problems has been focused on technology. This 
approach has regrettably ignored one of the most important elements of successful 
information security: the human aspect. This Information Security Awareness Training 
tries to correct this discrepancy by directing more attention to what humans can do as 
individuals and as a team of employees to significantly improve information security in 
any organization. Information security professionals have long realized the need to 
inform, educate and manage the “human” side of information security. The idea that 
people are at the center of the problem of security breaches is common, but many 
organizations are still struggling with the following questions: “How do we deal with the 
human part? How do we tackle information security from a non-technical standpoint that 
can be appreciated by normal users and may increase our organization’s overall security? 
Who needs to be trained and educated in information security”? This thesis will address 
these questions and propose answers to them. 


C. WHO SHOULD ATTEND ISATP 

The human element poses the greatest risks to information security. Operating 
systems can be hardened, virus scans can be conducted on a regular basis, and hardware 
can be physically secured. However, if employees of the RSNF do not understand and 
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embrace basic information security best practices, the other security initiatives have no 
meaning. This course is designed for all RSNF personnel, from Executive Leadership, 
section leaders, and ship commanders, to the soldiers and clerks entering data into 
databases. 
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III. THE SUGGESTED AWARENESS TRAINING PROGRAM 


Now that the need for an Information Seeurity Awareness Training Program 
(ISATP) for the Royal Saudi Naval Forees has been established, the next logieal step is to 
define the seope and essential elements of sueh a program. The first part of this ehapter 
will analyze seleeted information seeurity awareness training courses offered by four 
dominant and respected information assurance (IA) curriculum providers. The guidelines 
developed in this thesis define a minimum set of expectations. The guidelines will be 
reviewed as necessary to reflect future changes in the use of technology, RSNF and 
Government Laws and Policies. The analysis of these courses will help in identifying 
appropriate information security awareness training material that will aid in achieving 
and maintaining enhanced levels of confidentiality, integrity and availability for specified 
information within the RSNF. 

The second part of this chapter will discuss the RSNF awareness training needs 
assessment. The result of this assessment will rationalize the selection of the terminology 
and core concepts that will be included in the ISATP, and to persuade the managers in 
RSNF to allocate adequate resources to meet those needs. The third part of this chapter 
will present the security awareness training strategy and plan. The plan will define the 
strategy of developing and implementing the ISATP in the Royal Saudi Naval Forces. 

The fourth part of this chapter will discuss and establish priorities regarding who 
needs to be trained, when the training should be delivered, and what should be considered 
when prioritizing the training. The fifth part of this chapter will answer the question of 
how detailed this program will be and why? The last part of this chapter will justify the 
reasons why these awareness topics were selected. This justification will be derived from 
the analysis of the four courses and from the needs assessment of the RSNF. 


A, ANALYSIS OF VARIOUS EXISTING TRAINING PROGRAMS 

The majority of IA professionals agrees that security awareness training is critical 
to managing enterprise risk, yet most information security practitioners say their training 
programs are inconsistent at best — and ineffective at worst. Security awareness training 
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has always been difficult to execute. However, with the wide availability of awareness 
training courses offered by commercial, educational, and governmental organizations 
these days, the tools to engineer a meaningful ISATP are available. 

I have selected four basic information security courses to be analyzed in this 
thesis. These four courses are offered by four distinct security training providers. The 
analysis will include a historical background of these providers and their experience in 
the field. It will also include the terminologies and core concepts covered by each. These 
providers and detailed information of the topics covered by their courses are discussed 
below. 


1. SANS Institute 

The first provider discussed is the SANS Institute. The SANS (SysAdmin, Audit, 
Network, Security) Institute was established in 1989 as a cooperative research and 
education organization. The SANS Institute enables more than 156,000 security 
professionals, auditors, system administrators, and network administrators to share the 
lessons they are learning and find solutions to the challenges they face. At the heart of 
SANS are the many security practitioners in government agencies, corporations, and 
universities around the world who invest hundreds of hours each year in research and 
teaching to help the entire information security community. [4] 

Many SANS resources, such as news digests, research summaries, security alerts 
and papers are free. Income from printed publications funds university-based research 
programs. Income from SANS educational programs fund special research projects and 
SANS Training programs. The SANS community supports various programs and 
products including: 

• Information Security Training 

• The Global Information Assurance Certification (GIAC) Program 

• SANS Resources 

• Internet Storm Center 

• Center for Internet Security and Security Consensus Operational 
Readiness Evaluation (SCORE) 

• SANS/EBI Top Twenty Eist 
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SANS training provides a core set of educational courses designed to help master 
the practical steps necessary for defending systems and networks against the most 
dangerous threats - the ones being actively exploited. The courses were developed 
through the community consensus of hundreds of administrators, security managers, and 
information security professionals, and address both security fundamentals and the in- 
depth technical aspects of the most crucial areas of information security. SANS training 
is provided in a classroom setting from SANS-certified instructors, or can be self-paced 
over the Internet. SANS programs have educated many thousands of security, 
networking, and system administration professionals in the world. [4] 

SANS also offers a Volunteer Program through which, in return for acting as an 
important extension of the SANS conference staff, volunteers may attend classes at no 
cost. Volunteers are most definitely expected to pull their weight and the educational 
rewards for doing so are substantial. SANS Track 1: Security Essentials, enables novice 
students to learn the full SANS Security Essentials curriculum needed to qualify for the 
GIAC Security Essential Certification (GSEC), which is one of a series of Global 
Information Assurance Certification (GIAC). [4] 

In this track, students will learn the language and underlying theory of computer 
security, and at the same time, will learn the essential, up-to-the-minute knowledge and 
skills required for effective performance. This course meets both of the key promises 
SANS makes to their students: (1) they will gain up-to-the-minute knowledge they can 
put into practice immediately upon returning to work; and (2) SANS identifies the best 
security instructors to teach their courses, by choosing from those who have ranked 
highest in a nine-year competition among potential security faculty. This program offers 
great teaching along with the ability to master the material needed for the two most 
popular certifications in information security: Certified Information Systems Security 
Professional (CISSP) and GIAC Security Essentials Certification (GSEC). Appendix A 
has a fully detailed table of terminologies and core concepts covered in this six-day 
course. [4] 
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2, Naval Postgraduate School (NPS) 

The second provider is the Naval Postgraduate School’s Center for Information 
Systems Security (INFOSEC) Studies and Research (NPS CISR). NPS has been home to 
a vibrant program in computer and network security since 1990. Located in Monterey, 
California, CISR was one of the first efforts of its kind to develop a program of tightly 
coupled research and instruction on lA topics at the graduate level. For over a decade, 
CISR's program of classes, research, visiting professors, workshops, academic outreach, 
short courses in lA, and invited lecture series have set the standard of excellence in 
computer information security research. Each year over 400 military and civilian NPS 
students use the CISR laboratories for coursework and research, and CISR supports more 
graduate student thesis research in IA than any other program in the United States. [5] 

Designated by the National Security Agency (NSA) as a National Center of 
Excellence in lA education on April 14, 2000, the Naval Inspector General noted in his 
Command Assessment of NPS that CISR “has developed an outstanding and 
comprehensive lA curriculum. Undoubtedly, CISR's immediate return on investment for 
the services is the cutting-edge knowledge and experience our graduates apply to current 
operational assignments”. [5] 

The CISR philosophy is based on the fact that classes and research examine the 
problem of malicious software and system subversion. Using foundational concepts and 
technologies as a springboard for new developments, students and faculty construct 
systems to provide high confidence of enforcement for critical security policies in the 
face of all malicious software and penetration attempts, including those that are not yet 
known. They believe security and assurance should be built into systems from the start 
rather than as an afterthought or as a series of continuing updates and patches. To that 
end, CISR involves synergistically related classes, laboratory work and research of 
faculty, students and staff, making CISR truly a valuable DoD resource for leading edge 
lA research and education. [5] 

The NPS CISR is the world's foremost center for military research and education 
in Information Assurance (lA), defensive information warfare, and computer and network 
security. CISR's mix of experienced military officers and government and civilian 
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students make it uniquely qualified to address seeurity issues of the Department of 
Defense (DoD) and U.S. Government. CISR is also known throughout the field as one of 
the most innovative seeurity researeh groups in the world and is unsurpassed in 
produeing a eadre of military offieers with Master’s or Ph.D. degrees qualified for 
assignment to eritieal lA-related roles. Their graduates have state-of-the-art systems 
seeurity and lA knowledge and an advaneed degree in Information Seienees. [5] 

In particular, I will analyze their CS-3600 (Introduction to Computer Security) 
Course. This 12 week course is concerned with fundamental principles of computer and 
communications security for modern monolithic and distributed systems. It covers 
privacy concerns, data secrecy and integrity issues, as well as U.S. DoD security policy. 
Security mechanisms introduced will include access mediation, cryptography, 
authentication protocols, and multilevel secure systems. Students are introduced to a 
broad range of security concerns including both environmental as well as computational 
security. Laboratory facilities are used to introduce students to a variety of security- 
related technologies including, discretionary and mandatory access controls (DAC and 
MAC) in both low and high assurance systems, identification and authentication 
protocols, the use of cryptography in distributed systems, classes of malicious software, 
and basic network filtering technology (firewall operation). [5] 

Appendix B lists the main terminologies and core concepts covered in the topics 
of this course. 


3, Learning Tree International 

Learning Tree International is a world leader in hands-on training for IT 
Professionals. Over 1.3 million course participants from more than 18,000 companies 
have attended their IT courses led by expert instructors with real-world experience. 
Courses are presented at Learning Tree Education Centers and other locations throughout 
the world, as well as on-site at client facilities. They offer over 150 courses in today's 
hottest technologies, including Windows XP, 2000, .NET, Java, XME, OracleOi and 8i, 
UNIX and IT Management, information security along with 42 Professional Certification 
Programs. [7] 
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They state that each of their intensive 4 and 5-Day hands-on courses are designed 
to help attendees acquire the skills they need...fast and in-depth. Since their training is job 
role-focused, attendees are able to apply their new skills the day they return to work and 
begin reaping the benefits immediately. Learning Tree Course instructors work full time 
in high-tech companies, R & D labs and other business environments where they use the 
very technologies they teach, since they have already solved the same technical problems 
we are likely to encounter. They say that they have a unique Multimedia Display System 
used in their Education Center courses, and that with their state-of-the-art, proprietary 
display system, the instructor will annotate and manipulate information in real time on 
two independent projection screens. According to the Learning Tree website, this 
powerful teaching tool will give their instructors greater flexibility to customize and pace 
the course presentation. [7] 

Learning Tree presents over 8,000 course events annually at their Education 
Centers in Washington, D.C., New York City, Atlanta, Boston, Chicago, Los Angeles, 
Ottawa, Toronto, London, Paris, Stockholm and Tokyo. The courses are also available 
for presentation on site at workplaces. A full list of topics and core concepts covered in 
their (Introduction to System and Network Security) course are listed in appendix C. 

4, Laptop Training Solutions 

Students in their Laptop Training Solutions, will receive a laptop computer with 
OMNI award winning LBT, which includes the best instructional design and graphic 
learning systems, state-of-the-art simulations and exam preparation software to create an 
unparalleled learning experience. Also included is a set of authorized study manuals for 
selected courses of study. You have the convenience of studying at your home or in an 
environment of your choosing, and when your schedule allows. You can then frequent 
the state of the art networking labs, or set up your own lab at home. Laptop Training 
Solutions’ revolutionary training products use “applied simulation” to give students 
experience with courses of study. Certified professional guided study groups are available 
in the daytime, evenings and on weekends, which provide direction and answers to 
questions. Support is also available through e-mail, telephone, and on-line support 
through student services. [8] 
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The CompTIA Security+™ vendor-neutral certifieation exam is the worldwide 
standard of eompetency for foundation-level seeurity practitioners. The demand for 
skilled security professionals is growing significantly. The technology community 
identifies Security+™ as the perfect way to validate your knowledge of information 
security. The Laptop Training Solutions will prepare students for this exam by providing 
them with study manuals, computer and exam preparation software simulations. 
Appendix d has a list of the topics and core concepts covered in these learning resources. 


B, NEEDS ASSESSMENT 

Security awareness and training should be focused on the RSNF’s entire 
employee population. Executives must set the model for proper INFOSEC conduct within 
the Navy. An awareness training program must begin with an effort that can be deployed 
and implemented in various ways and is aimed at all levels of the organization including 
senior and executive managers. This course will be developed specifically to train and 
help Royal Saudi Naval Force employees understand the vulnerabilities of the automated 
information systems that support the RSNF infrastructure. In addition, this course will 
assist these employees in minimizing the risk associated with their use of these systems. 
An important result of supplying such baseline standards of INFOSEC is nurturing a 
commitment to improve RSNF’s attitude toward information security. 

Employees exposed to computers and information systems will be trained in 
information security, so they can use their technical skills along with the knowledge 
obtained from the ISATP course to promote a more secure RSNF IT environment. The 
ISATP course is a baseline course outline. The final results of this course are highly 
dependent on the INFOSEC topics and concepts included in its syllabus. I conducted this 
study of trends identified in industry, academic, or U.S. government publications and by 
information security training organizations. The use of these well-known and 
professional courses provides me with an insight into what should be taught in the RSNF 
ISATP. Furthermore, my 10 years of experience in Information Systems in the Saudi 
Navy, and the review and assessment of the available resource materials and courses, 
provided me with the solutions for the awareness training needs of the RSNF, And the 
gaps between the level of information security we need in RSNF and what is being done. 


17 



The ISATP should be designed to provide its participants with core lA knowledge 
and practical techniques for protecting the security of RSNF information infrastructure. 
Security issues, technologies, and recommended practices should be addressed at 
increasing layers of complexity, beginning with concepts and proceeding on to technical 
implementations. The principles, strategies, and practices covered must be applicable to 
most system platforms and network environments in the RSNF. 


C. AWARENESS TRAINING STRATEGY AND PLAN 

Awareness training strategy pertains to the training team’s understanding of the 
priority needs and how complex the recommended materials are. This information is 
based on an assessment of the audience, the working environment, the end goals desired, 
and availability of trainees. After identifying the core information security training topics 
from the analysis of the four existing courses described in section A of this chapter, we 
need to develop a strategy for implementing the resulting ISATP. While the possible 
elements of a successful awareness training strategy are limitless, here are some of the 
most common ones. 

• Length and quality 

Length and quality of training are the most obvious strategic elements. These two 
elements are generally in opposition to one another. The strategy may be either one of: a) 
very high quality/depth, but of excessive length, or b) of shorter duration, but lacking 
sufficient quality/depth. I endeavor to establish the ideal length versus quality tradeoff by 
scoping the ISATP material to only that which is deemed critical at the user awareness 
level, vice what is more appropriately addressed by systems designers and engineers. I 
rely largely on my personal experience and education in determining where that virtual 
boundary lies. 
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State-of-the-art Material 


Offering the most technically advanced awareness training material can form a 
powerful awareness training strategy. In the RSNF we need to have the capability to offer 
state-of-the-art training by training the trainers and keeping them updated in the lA field. 

• Trainees’ availability 

Organizations realize significant savings on training and associated travel costs if 
we can offer the employees training without them having to leave their sites. This can be 
achieved by providing the training using either a web-based model, CD’s, or having a 
mobile training team. In this way, training is no longer limited by physical location, but is 
instead based only upon the trainees’ availability. 

What is important now is to define the roles of the Information and Computer 
Department and the responsibilities, of the Training and Security Departments in the 
Navy in regards to who, where, when and how this course will be presented and taught 
within the Navy. 

The idea of the implementation of IS ATP in the RSNF in this thesis will be based 
on the assumption that this course will be designed, developed and maintained by the 
Information and Computer Department in the RSNF HQ, which will be considered as the 
central security awareness training authority in the RSNF. The Information and Computer 
Department should establish and disseminate a security policy and then assign the 
responsibility for enforcing this policy to the organizational units. The Information and 
Computer Department should also design, develop and maintain the information security 
awareness training program (ISATP) material and provide it to the training department 
for execution and implementation. 
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Figure 2. ISATP Management. 


Prior to delivery of the training, a pilot group should be used to test training 
procedures and materials. This pilot will be a control group, ideally located at RSNF 
headquarters, which will allow the training team to have better communication and quick 
feedback from the pilot group. The pilot training session should be conducted by the 
Information and Computer Department within a specific timeframe to obtain feedback 
and make necessary changes before delivering the course to the training department. 


D. ESTABLISHING PRIORITIES 

Prevention is certainly better than cure, and securing computer systems is one of 
the best examples of this. Computers and networks are large, complex systems, so the 
best we can achieve is to reduce the likelihood of a break-in. It is never realistic to expect 
a completely secure system environment, especially if it is connected to a network. To 
successfully meet a training task, especially with limited resources, equipment and 
personnel, we must establish priorities. Establishing priorities helps promote an effective 
and efficient training program in the RSNF, and improve education and the level of 
awareness of the trainees. These priorities will address who should be trained first along 
with the subject matter they should receive. The program is open to all personnel without 
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restrictions; however, employees in security, intelligence, the information and computer 
department, human resources and command and control center members are especially 
encouraged to attend ISATP. In my opinion, the training in information security should 
start at the top of the organization, as educating managers in information security will sell 
them on the merits of such education, and hence, will encourage them to have their 
employees enrolled in the program. There are some key jobs, which I recommend we 
start with, and these include: 

• Managers and Security Officers 

• Communication and IT Specialists 

• Systems Administrators 

• Web Administrators 

• Network Engineers 

The training team will base the level of course detail on who is attending the 
course and how much time is available. Executives and top managers will have less time 
available than clerks and data entry personnel, for example. 


E. MATERIAL COMPLEXITY 

The practice of training and keeping end-users updated with regards to 
information security does not have to be complicated. Many organizations accomplish 
this with a moderate budget and moderate levels of complexity. Practicing the 
implementation of ISATP in the RSNE does not mean that all end-users need to be 
certified in security. What we need simply is to make the end-users aware of security. 
Users need to understand that security is a very serious matter, and that the only way to 
keep the RSNE secure is to have everyone be responsible for his own part. Some 
important concepts that ISATP should stress to the end-users include: 

• Good software installation practices: employees must know when it is not 
proper to install or run an application (e.g., from e-mail attachments, from 
unknown/untrusted web sources, or from an un-scanned floppy disk, etc). 
It is great if a policy exists that controls this issue, but it is necessary to 
ensure that the end-users know why this is important or they will never 
follow it 

• Good awareness practices: End-users should be aware of activities 
concerning or affecting them and their systems. They need to know that 
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they are likely to be a witness to a hacker’s activity more than an 
administrator. 


• Good web-browsing practices: End users should know which sites not to 
access, what information is or is not safe to provide over the web, and they 
should understand basic browser security terminology and practices. 

• Good confidentiality practices: It is important that everyone knows what is 
confidential and not confidential within the RSNF, both in general, and in 
their specific working environment .[10] 

• Good system security practices: End users must know the critical role of 
passwords, regular data backups, uninterruptible power supplies, firewall 
protection, need ensure that the system is configured with the latest service 
packs, device drivers, application compatibility updates, and system 
security updates as soon as they’re available. 

No matter how complex the ISATP materials are, total security can never be 
achieved. Care should be taken not to select materials just because they are available. Eor 
example, there are probably several hundred Information Assurance (lA) courses 
available on the market, but few of them are suitable for the RSNF. The purpose of this 
course is not to present the latest security threats and protection technologies, but rather 
to introduce RSNF employees to the more common, everyday security practices that will 
best meet the information assurance needs of the RSNF. 


F. SELECTING AWARENESS TRAINING TOPICS 

Selecting awareness training topics that meet RSNF needs is the main objective of 
this thesis, and the most difficult part. It is difficult because ISATP is just a start and the 
fact that this training program will be attended by the vast majority of the RSNF 
employees regardless of their position in the hierarchy of the Navy. Furthermore, the 
ISATP should reflect the security policy of the Navy. It may seem difficult for a single 
program to satisfy all types of employee needs within the RSNF, and indeed, for this 
reason, the course will be generic, avoid technical complications, and focus on the 
fundamentals and on building a precise vocabulary of lA terms and concepts. When 
determining the topics best suited to include in the ISATP, the following should be taken 
into consideration: 

• Information relevance: Is the information provided appropriate to the 
audience level, well organized and easy to use? 
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• Information sources: Does the information come from primary resourees 
(i.e., textual material, abstraets, and web pages)? 

• Training material: Can it be developed within the proposed budget? What 
are the eonstraining faetors for produeing this material? Will the 
teehnology likely ehange before the proposed training material can be 
produeed? 

• Time: What are the critieal time factors involved? When and how many 
learners must be trained within a given time frame? Is there more than one 
group to be trained? 

• Instructors: Are they qualified for these types of eourses? Do we have to 
train the instructors and bring them up to speed? How long will it take to 
bring them up to speed? How many instruetors are available for this 
eourse? 

• Self-Teaehing Paekage: Are books and materials available? Are they 
geared to the student’s edueational level? Are the employees motivated to 
learn on their own?[10] 

Training material and topies selected in ISATP will provide the skills neeessary 
for RSNF employees to aecomplish the seeurity responsibilities assoeiated with their job. 
The seleetion of the awareness training topies will be based on the eommon eoncepts 
eovered by the four programs analyzed earlier in this ehapter. This eourse will be 
reviewed, ehanged and modified frequently based on the ehanging needs of the RSNF as 
new threats, vulnerabilities and safeguards are diseovered or introdueed. 
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IV. THE AWARENESS TRAINING PROGRAM AND IT’S 


IMPLEMENTATION 


This chapter will propose the ISATP material and will give an overview of some of 
the teehniques we eould use to deliver this material. Part A will propose the topies of the 
ISATP and the justification of why these topics are selected. Part B of this ehapter will list 
the possible techniques for delivering ISATP material. Part C will deseribe how we are going 
to evaluate the program and get the feedbaek from the trainees, lecturers and supervisors. 
Part D covers the ongoing improvement of the training program. 


A, PROPOSED AWARENESS TRAINING MATERIAL 

The overall objeetive for use of this thesis is to facilitate the development of a broad, 
measurable, cost-effective information security awareness training program which supports 
the missions of the RSNF. This part of the thesis will propose the topics that comprise the 
information seeurity awareness training program (ISATP) material. These topies will be 
essential and need to be well understood by all RSNF employees at all levels. Proteeting the 
RSNF’s information assets demands no less. The selection, as I mentioned earlier in chapter 
three, will be based on the eore concepts eovered by some of the well-known information 
security training providers, matehed against the needs of the. This proposed material will 
allow the course developers to have a baseline of subject matter that will comprise the future 
information security course. The list of the topics included in the proposed material is 
intended to be fundamental for such type of awareness training, yet it will build a wide range 
of security-related skills needed by employees in several functional area categories. 
Moreover, it will be a good starting place for the development of material suitable for 
training employees with different needs and levels of training. The list will include the topics 
and a justification of why these topies are important. Although the material framework, 
presented below, provides a generie outline for material to be included in ISATP training 
throughout RSNF, it is neeessary that the instructor relate the aetual eourse content to the 
RSNF’s unique culture and mission requirements. Emphasis plaeed on the specifie topics 
may vary by student audienee or the speeific job needs. [11] 
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The material framework was developed to present topies and eoneepts in a logieal order, 
based on information seeurity eourses analyzed in ehapter three. Appendix E has the full 
outline of the proposed ISTAP material. Below is a detailed outline that eovers the definition 
of eaeh part, an explanation of why it is important, how it’s related to this eourse, a brief 
deseription of the objeetive of eaeh part, and finally a time estimation needed to eover it: 

1. Introduetion To Information Assuranee 

1.1. INFOSEC & COMPUSEC 

1.1.1. Definition: INFOSEC is defined as: The proteetion of information systems 
against unauthorized aeeess to or modifieation of information, whether in 
storage, proeessing or transit, and against the denial of serviee to authorized 
users, ineluding those measures neeessary to deteet, doeument, and eounter 
sueh threats.[12]. COMPUSEC is defined as the applieation of hardware, 
firmware and software seeurity features to a eomputer system in order to 
proteet against, or prevent, the unauthorized diselosure, manipulation, 
deletion of information or denial of serviee. [13] 

1.1.2. Importanee/Relevanee: Many people do not really understand what 
INFOSEC and COMPUSEC are nor what are their goals is. Before we get 
into the meat of this eourse, we need to introduee these two eoneepts to the 
trainees and make sure they understand them. 

1.1.3. Objeetive: This part will introduee the two eoneepts of INFOSEC and 
COMPUSEC; define the two aeronyms and how they relate to eaeh other 

1.1.4. Time: 30 Minutes 

1.2. Sensitive Data Definition 

1.2.1. Definition: Information that requires some level of proteetion beeause its 
unauthorized diselosure, alteration, or destruetion will eause pereeivable 
damage to the institution. [14] 

1.2.2. Importanee/Relevanee: Trainees should know the elassifieation of data 
and identify the sensitive data that need to be proteeted and handled with 
eaution; trainees should know the best praetiees of handling and storing 
sensitive data. 
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1.2.3. Objective; Trainees will know which information requires some level of 
protection because the loss, misuse, or unauthorized access to or 
modification of, could adversely affect the RSNF or the conduct of its 
operations, or the privacy of its employees. 

1.2.4. Time: 30 minutes 

1.3. Importance Of Security 

1.3.1. Discussion: Information security is a serious issue, and the reason 
organizations want to protect information should be for sound purposes. 
Military knowledge and data are arguably the most important assets of any 
organization. Organizations must ensure the confidentiality, integrity and 
availability of their data. 

1.3.2. Importance/Relevance; The importance of information security to military 
operations cannot be overstated; Trainees need to realize how important 
security is to them, their department and the Navy. 

1.3.3. Objective: This part will elaborate on the importance of security to 
organizations in protecting their information and to ensure the unhindered 
exercise of legitimate activities. Some historical incidents should be 
presented in this part. 

1.3.4. Time: 1 Hour 

1.4. The Meaning of “secure” 

1.4.1. Discussion: Secure means the system is free from vulnerabilities and there 
are no threats to it. 

1.4.2. Importance/Relevance: Trainees should know the meaning of secure, and 
the fact that security is generally not a 100% achievable, they need to realize 
that the amount of money spent on protecting an information asset is highly 
dependant on the value of the information it holds, and the length of time 
that information needs to be protected. They also need to know that “secure” 
relates to many things (secure system, secure environment, secure 
communication.. .etc). 
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1.4.3. Objective: Trainees will learn and recognize that secure is a fuzzy word, 
that total security is far from reality, and that absolute security would mean 
zero productivity. They will learn that security translates into operating 
systems in such a way that the residual risk is reduced to an acceptably low 
level. 

1.4.4. Time: 30 Minutes 

1.5. Security Vulnerabilities 

1.5.1. Definition: A security vulnerability is a design flaw in a product that 
makes it susceptible to an accidental or malicious action that may result in 
the violation of the security policy (e.g., a user with no clearance is able to 
view classified information). 

1.5.2. Importance/Relevance: Trainees need to know about the vulnerabilities 
affecting our networks, software, and systems, and how vital it is to stay 
ahead of the hackers trying to steal our data or disrupt our naval operations. 

1.5.3. Objective: For the trainees to obtain a rigorous, quantitative understanding 
of the vulnerabilities of information systems. They have to be aware of the 
weaknesses in the way a system or network is set up, operated, or 
maintained that may make certain information or processes on that system 
available to unauthorized people who in turn may use these for malicious 
purposes. 

1.5.4. Time: 2 Hour 

1.6. Threats 

1.6.1. Definition: Any circumstances or event that has the potential to cause 
harm to a system or network [16] 

1.6.2. Importance/Relevance: Threats comprise one of the four major terms in 
the risk management equation discussed in section 1 where it was shown that 
residual risk is what is left over after safeguards are applied against the 
product of threats and vulnerabilities. Thus, threats are a key component in 
assessing the overall risk any particular system is exposed to. Only by 
understanding the major threat categories, along with the basic attributes of 
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each, can those charged with lA duties choose and apply the appropriate 
safeguards. 

1.6.3. Objective: This part is intended to familiarize trainees with the possible 
threats to the RSNF systems, and will increases their awareness of threats to 
computer systems by giving a broad picture of the threat environment in 
which systems are operated today. 

1.6.4. Time: 2 Hour 

1.7. Countermeasures 

1.7.1. Definition: Protective measures, techniques, and procedures that must be 
applied to information systems (IS) and networks based on risk, threat, 
vulnerability, system interconnectivity considerations, and information 
assurance needs. Levels of protection are: 1) Basic: The IS and networks 
requiring implementation of standard minimum security countermeasures, 2) 
Medium: The IS and networks requiring layering of additional safeguards 
above the standard minimum security countermeasures, 3) High: The IS and 
networks requiring the most stringent protection and rigorous security 
countermeasures. [17] 

1.7.2. Importance/Relevance: As the course will point out, there are risks 
associated with the operation of computers. In order to operate a computer at 
an acceptable level of risk, we need countermeasures. 

1.7.3. Objective: To introduce trainees to the different countermeasures that 
would help them to reduce threats, and vulnerabilities, assist in the detection 
of hostile events, or assist with the recovery from an event and to provide an 
overview of the effective deployment of countermeasures such as firewalls, 
intrusion detection systems and virtual private networks. It will enable them 
to minimize the risks while taking full advantage of the opportunities the 
information and computer systems affords. 

1.7.4. Time: 1 Hour 
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1.8. Policies 


1.8.1. Definition: A seeurity poliey is a doeument that states in writing how an 
organization plans to proteet the organization’s physieal and information 
teehnology (IT) assets. A seeurity poliey is often eonsidered to be a "living 
doeument", meaning that the doeument is never finished, but is eontinuously 
updated as teehnology and employee requirements ehange. An 
organization’s seeurity poliey may inelude an aeeeptable use poliey, a 
deseription of how the organization plans to edueate its employees about 
proteeting the organization's assets, an explanation of how seeurity 
measurements will be earried out and enforeed, and a proeedure for 
evaluating the effeetiveness of the seeurity poliey to ensure that neeessary 
eorreetions will be made [18] 

1.8.2. Importanee/Relevanee: Information seeurity polieies are the foundation, 
the “prime mover” in a manner of speaking, of information seeurity praetiees 
and expenditures within an organization. Poliey is management’s tool for 
stating WHAT the Information Assuranee goals are. As sueh, poliey dietates 
guidanee to seeurity implementers so that they may determine HOW the 
goals set forth in the poliey will be met; typieally by ehoosing appropriate 
safeguards and by establishing standard seeurity operating proeedures. 

1.8.3. Objeetive: This part is intended to help the trainees understand a eoherent 
information seeurity poliey. It provides a brief overview of the polieies 
applied in different organizations. It diseusses the primary uses of the 
Internet, and the assoeiated poliey implieations. And it provides sample 
poliey statements for low, medium and high risk/proteetion environments. 

1.8.4. Time: 30 Minutes 

1.9. Assuranee 

1.9.1. Definition: Aets that proteet and defend information and information 
systems (IS) by ensuring their availability, integrity, authentieation, 
eonfidentiality, and nonrepudiation. This ineludes providing for restoration 
of information systems by ineorporating proteetion, deteetion, and reaetion 
eapabilities.[17] 
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1.9.2. Importance/Relevance; An understanding of assurance is critical because 
its activities involve many disciplines, and these activities permeate all 
aspects of using computer and information systems. 

1.9.3. Objective: This part discusses assurance perspectives on the underlying 
technologies, reviews the definition of assurance, and promotes trainees to 
understand assurance technology and standards impacting real-world needs. 
This part presents the goals of an information assurance program, explains 
why meeting these goals are essential to success, and distinguishes between 
the roles and responsibilities of all members of the organization. This part 
also explains how to identify and manage risks to information systems. 

1.9.4. Time: 2 Hours 

2. Network Fundamentals 

2.1. Network Types 

2.1.1. Definition: A group of two or more computer systems linked together. 
There are many types of computer networks, including 1) local area 
networks (LANs) 2) Wide area networks (WANs) 3) Metropolitan area 
network (WANs) 4) Personal area networks (PANs). 

2.1.2. Importance/Relevance: A basic understanding of computer networks is 
requisite in order to understand the principles of network security. Trainees 
need to have an understanding of the fundamentals of the networks and how 
they are classified according to their type. 

2.1.3. Objective: This part will cover some of the foundations of computer 
networking, then move on to an overview of some popular networks. The 
Open Systems Interconnect model (OSl) will be introduced to trainees to 
make them understand the relationships between OSI, TCP/IP and any 
generic network protocol stack that employs the layered concept of 
encapsulation. Following that, this part will take a more in-depth look at 
TCP/IP, the network protocol suite that is used to run the Internet and many 
intranets. While there are several different network types, this part explains 
the two most popular types of networks: LANs and WANs. 

2.1.4. Time: 30 Minutes 
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2.2. Network Topologies 

2.2.1. Definition; The speeific physical (i.e., real) or logical (i.e., virtual), 
arrangement of the elements of a network. We could say that two networks 
have the same topology if the connection configuration is the same, although 
the networks may differ in physical interconnections, distances between 
nodes, transmission rates, and/or signal types.[19] 

2.2.2. Importance/Relevance; Trainees are expected to have a basic 
understanding of the network topologies, and how the network devices are 
connected to each other. 

2.2.3. Objective: This part will explains the three standard topologies of 
computer networking 1) Contention-based (bus) 2) Ring, and 3) Switched. 
Trainees will learn the different layouts of connected devices on a network. 
It is very important for trainees to fully understand them as they are key 
elements to understanding and troubleshooting networks and will help them 
decide what actions to take when they are faced with network problems. 

2.2.4. Time: 30 Minutes 

2.3. Network Devices 

2.3.1. Definition: Any part of a network is called a network device; we are 
interested especially in devices, which forward packets between nodes in a 
network or between different networks. 

2.3.2. Importance/Relevance; The network hubs, switches, and routers provide 
quite an array of advanced features that interoperate with other network 
devices. Changes to one device can cause changes to others, these devices 
are susceptible parts of any network. Trainees thus need to understand these 
network devices, their functions, and their vulnerabilities to a network. 

2.3.3. Objective; The network devices discussed in this part are the hubs, 
switches and routers, trainees will gain a good understanding of switching 
and routing technologies. The part will provide a solid understanding of 
networking devices. This will enable trainees to understand Inter-networks 
more expediently. In addition, trainees will learn how it is important on 
critical subnets, to correctly configure network devices: by enabling needed 
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services, restricting access to configuration services by port/interface/IP 
address, disabling broadcasts, source routing, choosing strong (non-default) 
passwords, enable logging, choose carefully who has user/enable/admin 
access, etc. 

2.3.4. Time: 1 Hour 

2.4. Important Layer 3/4 Network Protocols 

2.4.1. Discussion: A set of formal rules describing how to transmit data across a 
network. Low-level protocols define the electrical and physical standards to 
be observed, bit- and byte-ordering and the transmission and error detection 
and correction of the bit stream. High level protocols deal with the data 
formatting, including the syntax of messages, the terminal to computer 
dialogue, character sets, sequencing of messages etc.[20] 

2.4.2. Importance/Relevance: Trainees should understand the implications of 
using high-level network protocols operating in an open-system 
environment. 

2.4.3. Objective: The focus of this part is to understand the high-level network 
protocols, which include layer 3 and 4 protocols IP, TCP, UDP and ICMP). 
These protocols will be reviewed, but more from the point of view of 
understanding the properties of various protocols and the practical issues in 
their use, rather than the technology behind them. General networking will 
also be covered in order to understand the implications of various 
approaches; for instance, using UDP (layer 4) vs. TCP (layer 4). Trainees 
will learn how layer four (transport) transfers data between end systems. 
End-to-end error recovery and flow control and how layer three (network) 
provides the addressing scheme necessary for routing packets throughout the 
network. 

2.4.4. Time: 2 Hours 
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2.5. How Packets Get Routed 


2.5.1. Diseussion: Routing is the teehnique by whieh data finds its way from 
one host eomputer to another. In the Internet eontext there are three major 
aspeets of routing 1) Physieal address determination 2) Seleetion of inter¬ 
network gateways 3) Symbolie and numeric addresses. [21] 

2.5.2. Importanee/Relevanee; Trainees should have an understanding of a 
routing eonfiguration that refieets different network topologies and how 
paekets get delivered to their desired destinations. 

2.5.3. Objeetive: This part introduees the underlying eoneepts widely used in 
routing protoeols. Coneepts summarized here include routing protoeol 
eomponents. In addition, it will address speeifie routing protoeols in more 
detail. In this part trainees will learn about IP datagram and why it is 
neeessary to eneapsulate the IP datagram within whatever frame format is in 
use on the loeal network or networks to whieh the eomputer is attaehed, and 
the faet that this eneapsulation requires the inelusion of a loeal network 
address or physieal address within the frame. Moreover, they will learn how 
loeal networks intereonneeted by one or more gateways, generally known as 
routers. Finally, they will learn how the addresses get translated from a 
reasonably human friendly form to numerie IP addresses by the Domain 
Name System (DNS). 

2.5.4. Time: 2 Hours 

3. Computer System Seeurity and Aeeess Controls 

3.1. System Aeeess Control 

3.1.1. Definition: System aeeess Control is any meehanism by whieh a system 
grants or revokes the right to aeeess some data, or perform some aetion. 
Normally, a user must first login to a system, using some Identification and 
Authentication (I&A) system. [22] 

3.1.2. Importanee/Relevanee: It is essential that trainees be aware of how the 
aeeess to systems is eontrolled and how a system administrator ean eontrol 
aeeess to files and folders using system aeeess eontrols. The importanee of 
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picking a good, secure password cannot be emphasized enough. Until 
eomputers are able to recognize people on sight, the primary method of 
identifying oneself to a computer will remain the password. A password 
operates much like a key or combination. It is a means of authenticating to 
the computer that you are who you elaim to be. Unfortunately, passwords 
can be as easily eompromised as keys and eombinations. 

3.1.3. Objeetive: This part will eover the eoncepts of identifieation and 
authentieation and how users are usually identified by a ehallenge and 
response system; additionally they will learn the mandatory standard 
password selection and the purpose of these standards. Students must 
understand that passwords are often either: a) the only defense or b) 
the weakest link defense used to proteet stronger maehine-generated 
cryptographie keys. They are easily attaeked via dictionary or brute-force 
eraeker programs, unless strong passwords are utilized. Students should 
understand that the "math" is in their favor by explanation of the general 
eombinatories relation, whieh will give them brute-force resistant passwords. 
Students should also be exposed to the good password seleetion mnemonies; 
sueh as using the first letter of an easily remembered phrase, or making letter 
substitutions (e.g., substituting ‘5’ for ‘S’). 

3.1.4. Time: 1 Hour 

3.2. Data Access Controls 

3.2.1. Definition: Data aeeess eontrol is the eolleetion of meehanisms that 
permits managers of a system to exereise a direeting or restraining infiuenee 
over the behavior, use and eontent of a system. It permits management to 
speeify what users ean do, whieh resourees they ean aeeess and what 
operations they can perform. [23] 

3.2.2. Importance /Relevanee: Unauthorized aeeess to highly sensitive data can 
compromise the RSNF data, employee’s information, and strategie RSNF 
information. It is important for trainees to understand how an operating 
system could be seeured using the different aeeess eontrol teehniques. 
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3.2.3. Objective: This part describes the security model for controlling access to 
application objects, such as files, and for controlling access to administrative 
functions, such as auditing user actions. The Access-Control topic will 
provide a high-level description of the access-control components and how 
they interact with each other. In addition, trainees will learn some of the data 
accesses control techniques, such as. Discretionary access control (DAC), 
Mandatory access control (MAC) and access control list (ACL). Trainees 
need to know that access control (also called protection or authorization) is a 
security function that protects shared resources against unauthorized 
accesses and that the distinction between authorized and unauthorized 
accesses is made according to an access control policy. Moreover, they will 
know what we mean by objects and subjects in a resource, which are 
protected by access control. This part will educate trainees that access 
control is employed to enforce security requirements such as confidentiality 
and integrity of data resources (e.g., files, database tables), to prevent the 
unauthorized use of resources (e.g., programs, processor time, expensive 
devices), or to prevent denial of service. 

3.2.4. Time: IHour 

3.3. Access Control Models 

3.3.1. Definition: Techniques, which mediate accesses to objects by subjects. 
The technique may be implemented in hardware or software. There are three 
popular models that are found in access control systems:!) Bell & LaPadula 
where information does not flow to an object of lower classification 2) Clark 
- Wilson where no subject may depend on a less trusted object or subject 3) 
Biba where objects of lower integrity are not permitted to flow to objects of 
higher integrity. 

3.3.2. Importance /Relevance: Security models are an important concept in the 
design of any secure system. A security model is one of the key architectural 
features that make it an appropriate technology for networked environments. 
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Security is important because networks represent a potential avenue of attack 
to any computer hooked to them. 

3.3.3. Objective: This part aims to provide trainees with an essential 
understanding in one of the computer security technologies. This includes 
high-level issues such as security policy (modeling what ought to be 
protected). It also involves a review of security policy models. Such as Bell- 
LaPadula, Clark-Wilson, Biba and Take-Grant Model. In addition, trainees 
will know how these access controls allow only authorized users, programs 
or processes system or resource access and how they are granting or 
denying, according to a particular security model, of certain permissions to 
access a resource. Moreover, trainees will learn that access control models 
are an entire set of procedures performed by hardware, software and 
administrators, to monitor access, identify users requesting access, record 
access attempts, and grant or deny access based on preestablished rules. 

3.3.4. Time: 1 Hour 

4. Types Of Attacks 

4.1. Probes and Scans 

4.1.1. Definition: A probe is characterized by unusual attempts to gain access to 
a system or to discover information about the system. One example is an 
attempt to log in to an unused account. Probing is the electronic equivalent 
of testing doorknobs to find an unlocked door for easy entry. Probes are 
sometimes followed by a more serious security event, but they are often the 
result of curiosity or confusion. Where a scan is simply a large number of 
probes done using an automated tool. Scans can sometimes be the result of a 
misconfiguration or other error, but they are often a prelude to a more 
directed attack on systems that the intruder has found to be vulnerable.[23] 

4.1.2. Importance/Relevance: Understanding the real threats to our computers is 
crucial to formulating an effective computer security plan. It is important for 
trainees to know about probing and scanning since they are an early warning 
of a potential follow-on act against the system. 
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4.1.3. Objective: Trainees will be introduced to the concepts of probing and 
scanning and how they are used by the attackers to find any vulnerability in 
our systems. Trainees will learn how to use the network probing or scanning 
tools to test a network for weaknesses that attackers might exploit. And how 
a probing or scanning test can be conducted using one of two approaches: 
black-box (with no prior knowledge of the infrastructure to be tested) and 
white-box (with a complete knowledge of the network infrastructure. 

4.1.4. Time: 30 Minutes 

4.2. Account Compromise 

4.2.1. Discussion: An account compromise is the unauthorized use of a computer 
account by someone other than the account owner, without involving 
system-level or root-level privileges (privileges a system administrator or 
network manager has).[23] 

4.2.2. Importance/Relevance: Ramifications from an account compromise can 
range from annoying to catastrophic. If an attacker gets hold of a user 
account, the system can be compromised in a way that we might not notice. 
Account compromise might expose systems to serious data loss, data theft, 
or theft of services. 

4.2.3. Objective: In this part trainees will learn how it is important to keep their 
accounts safe from being compromised, what are the possible drawbacks of 
loosing someone’s account. Trainees should recognize that computer 
security relies on secret passwords. These passwords must be adequately 
safe against 'cracking' programs that attempt to guess them. They must be 
kept secret - and thus must not be shared among users. In order to insure that 
trainees most keep them secret and not to transmit them unencrypted across 
the network. 

4.2.4. Time: 30 Minute 
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4.3. Packet Sniffing 

4.3.1. Definition: Packet sniffing is the proeess of eapturing data from 
information packets as they travel over the network using a paeket sniffer 
program. That data may inelude user names, passwords, and proprietary 
information that travel over the network in elear text. With perhaps hundreds 
or thousands of passwords eaptured by the paeket sniffing programs, 
intruders ean launeh widespread attaeks on systems. Installing a paeket- 
sniffing program does not neeessarily require privileged aeeess. For most 
multi-user systems, however, the presence of a paeket sniffer implies there 
has been a root compromise. [24] 

4.3.2. Importanee/Relevanee: One of the oldest methods of stealing information 
off a network is through paeket sniffing. Intruders may gain unauthorized 
aeeess to machines and plant "packet sniffers" on them. Packet sniffing, 
whieh has been around since the invention of Ethernet, has legitimate uses. 
Today, however, the threat of misuse of these programs has increased 
greatly beeause they ean be downloaded readily via the Internet. 

4.3.3. Objeetive: This part will enlighten the trainees to paeket sniffing in 
eomputer networks, what we mean by packet sniffing, and what it takes to 
sniff a paeket from a network. Finally, an explanation of how these sniffed 
paekets might be used to exploit our network. Trainees will also learn how a 
paeket sniffer ean be legitimately used to eapture, monitor and analyze 
network traffie; deteet bottleneeks and other network related problems. 
Moreover, how a network manager using this information, ean keep traffie 
flowing effieiently. 

4.3.4. Time: 30 Minute 

4.4. Denial of Serviee 

4.4.1. Definition: A denial of service (DoS) attaek is an incident in whieh a user 
or organization is deprived of the serviees of a resouree they would normally 
expeet to have. Typieally, the loss of serviee is the inability of a partieular 
network serviee, sueh as e-mail, to be available or the temporary loss of all 
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network connectivity and services. In the worst cases, for example, a Web 
site accessed by millions of people can occasionally be forced to temporarily 
cease operation. A denial of service attack can also destroy programming 
and files in a computer system. Although usually intentional and malicious, 
a denial of service attack can sometimes happen accidentally. A denial of 
service attack is a type of security breach to a computer system that does not 
usually result in the theft of information or other security loss. However, 
these attacks can cost the target person or company a great deal of time and 
money. [24] 

4.4.2. Importance/Relevance: Today's complex network environments and Web 
hosting systems, vulnerable to break-ins and disruptions. Denial-of-Service 
(DoS) attacks, in which legitimate users are denied access to Web servers 
and target systems, can pose especially serious problems for RSNF. It is 
important that trainees know about the most common type of attacks to 
networks (Denial-of-service attacks) which can disrupt or completely disable 
their network. 

4.4.3. Objective; This part provides a general overview of attacks in which the 
primary goal of the attack is to deny the victim(s) access to a particular 
resource. It should include information on how trainees can help and respond 
to such an attack. It aimed to have trainees understand that a denial of 
service (DoS) attack is not a virus but a method hackers use to prevent or 
deny legitimate users access to a computer and that not all service outages, 
even those that result from malicious activity, are necessarily denial-of- 
service attacks. Trainees will also learn that Denial-of-service attacks come 
in a variety of forms and aim at a variety of services types, some of these 
attacks will be explained in this part. 

4.4.4. Time: 1 Hour 
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4.5. Spoofing 

4.5.1. Definition: A technique used to gain unauthorized access to computers, 
whereby the intruder sends messages to a computer with an IP address 
indicating that the message is coming from a trusted host. To engage in IP 
spoofing, a hacker must first use a variety of techniques to find an IP address 
of a trusted host and then modify the packet headers so that it appears that 
the packets are coming from that host.[25] 

4.5.2. Importance/Relevance: Spoofing attacks are difficult to detect. They are 
becoming more and more popular now. An improperly configured firewall 
will allow all traffic from any computer with a spoofed source IP address, 
which could result in a security vulnerability Trainees need to completely 
understand how the spoofing attacks can take place, and what are the 
possible affects of these attacks to the Navy. 

4.5.3. Objective: This part from the ISATP describes the use of IP spoofing as a 
method of attacking a network in order to gain unauthorized access. Trainees 
will learn the TCP and IP authentication process and then how an attacker 
can spoof the network. Trainees will learn that Spoofing is mostly done 
when the attacker is engaging in DoS type of attack - that is, he just wants to 
disrupt you and does not expect or need data to return to him. They should 
realize that the only way to prevent these attacks is to implement security 
measures like encrypted authentication to secure your network 

4.5.4. Time: 30 Minutes 

4.6. Malicious Software “Malware” 

4.6.1. Definition: Malicious software is a general term for programs that, when 
executed, would cause undesired results on a system. Users of the system 
usually are not aware of the program until they discover the damage. 
Malicious software includes Trojan horses, viruses, and worms. Trojan 
horses and viruses are usually hidden in legitimate programs or files that 
attackers have altered to do more than what is expected. Worms are self- 
replicating programs that spread with no human intervention after they are 
started. Viruses are also self-replicating programs, but usually require some 
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action on the part of the user to spread inadvertently to other programs or 
systems. These sorts of programs ean lead to serious data loss, downtime, 
denial of serviee, and other types of security incidents.[23] 

4.6.2. Importanee/Relevanee; The danger presented today by malieious software 
to our Navy’s eomputer-based, mission-eritieal systems is greater than ever. 
The number of malieious eode ineidents eontinues to elimb and trainees 
need to aware of the inereasing “malware” threats and speeifie defensive 
techniques to combat malicious software. 

4.6.3. Objeetive: This part examines malieious software detection and malicious 
software defenses. Viruses, worms and Trojan horses, will be 
discussed. Trainees will review some of the well-known viruses and worms 
to understand how they affeeted the world eeonomy. Upon eompleting this 
part trainees will be able to define malware and identify its various forms, 
explain how viruses, worms, Trojan horses and other types of malware work, 
deseribe the ways that malware ean harm information assets. Moreover, they 
will be able to deseribe ways to prevent, detect, and respond to a malware 
incident. Explain how anti-virus programs work, and distinguish hype and 
hoaxes from real malware threats. 

4.6.4. Time: 2 Hours 

4.7. Soeial Engineering 

4.7.1. Definition: An outside haeker's use of psyehologieal trieks on legitimate 
users of a eomputer system, in order to gain the information (usernames and 
passwords) he needs to gain aeeess to the system. [26] 

4.7.2. Importanee/Relevanee: Soeial engineering ean be used to gain aeeess on 
any system despite the platform or the quality of the hardware and software 
present. It is the hardest form of attaek to defend against beeause hardware 
and software alone will not stop it. With the immeasurable seeurity threat 
that Soeial Engineering brings to the eomputing eommunity, trainees need to 
be familiar with these types of attaeks. 

4.7.3. Objeetive: This part will diseuss the basies of soeial engineering by giving 
a general overview of soeial engineering. It will then diseuss what makes 
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social engineering so sueoessful. It aimed to make trainees aware of the 
preparation an attaeker may go through, and how this ean be made diffieult 
by appropriate seeurity measures. 

4.7.4. Time: 30 Minutes 

5. Intrusion Deteetion 

5.1. Network Based 

5.1.1. Definition: A network-based IDS watehes live network paekets and looks 
for signs of eomputer erime, network attaeks, network misuse and 
anomalies. When it observes an event, it ean send pages, email messages, 
and reeord it for future forensie analysis.[27] 

5.1.2. Importanee/Relevanee: With the growing relianee on network-based 
serviees and the Internet, organizations are faeed with a growing ehallenge 
to proteet their systems from attaeks. IDSs are the latest and most powerful 
tools used for alerting the analyst to network-based exploits. Therefore, 
trainees are required to have some knowledge on the intrusion deteetion 
systems IDSs. 

5.1.3. Objeetive: This part offers a quiek start in intrusion deteetion. It will 
provide trainees with knowledge on how attaekers break into systems and 
networks, and how a network- based IDS ean play a key role in deteeting 
these events within a network. They will also learn how a network-based 
IDS ean be used to determine what exploits are oeeurring in their network. 

5.1.4. Time: 1 Hour 

5.2. Host Based 

5.2.1. Definition: Host-based ID involves loading a pieee or pieees of software 
on the system to be monitored. The loaded software uses log files and/or the 
system's auditing agents as sourees of data. [27] 

5.2.2. Importanee/Relevanee: IDS is a key eomponent and an important tool in 
eomputer and network seeurity, just like the previous part of this seetion. 
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trainees need to know the different types of ID systems and what are the 
major pros and eons of eaeh one of them. 

5.2.3. Objeetive: This part will eover the ins and outs of a host-based intrusion 
deteetion system. Trainees will learn how a host -based IDS operates and the 
trade-offs of using it alone. 

5.2.4. Time: 30 Minutes 

5.3. Passive Response 

5.3.1. Diseussion: Passive IDS will simply alert that an attaek maybe happening 
and provide the data to start investigating. 

5.3.2. Importanee/Relevanee: Most of the intrusion deteetion systems fall into 
this eategory. Trainees need to be aware that most of the old IDS systems are 
passive and will only report an exploit regardless of the type of IDS 
(network-or host- based) used to deteet it. 

5.3.3. Objeetive: In this part, trainees will be introdueed to the passive IDSs and 
how they work and what they ean and eannot do. 

5.3.4. Time: 30 Minutes 

5.4. Aetive Response (IDP) 

5.4.1. Diseussion: An aetive IDS will instead of only sending an alert will also 
reaet in some way, this ean be reeonfigure a paeket filtering deviee, kill a 
eonneetion, loek a user aeeount ete 

5.4.2. Importanee /Relevanee: Response eapabilities for threats and attaeks are 
erueial for any intrusion deteetion system. Most network-based and host- 
based IDSs share eommon threat and attaek response options. 

5.4.3. Objeetive: The aim of this part is to make trainees understand the role of 
an IDP and how it differs from the normal IDSs. Trainees need to realize 
that firewalls ean limit the ability of external haekers to attaek IT serviees, 
but if they want to seeure their systems fully then they will need additional 
levels of proteetion for Intrusion Deteetion and Prevention (IDP). They 
should realize that a firewall by itself is not enough. 

5.4.4. Time: 30 Minutes 
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6. Traffic Filtering (Firewalls) 

6.1. Types of Firewalls 

6.1.1. Definition: A system designed to prevent unauthorized aceess to or from a 
private network. Firewalls ean be implemented in both hardware and 
software, or a eombination of both. Firewalls are frequently used to prevent 
unauthorized Internet users from aeeessing private networks eonneeted to 
the Internet, espeeially intranets. All messages entering or leaving the 
intranet pass through the firewall, which examines each message and blocks 
those that do not meet the speeified security criteria. There are several types 
of firewall techniques: 1) Stateless, 2) Statful, 3) Dynamic, 4) Proxy based, 
5) Network based, and 6) Host based (Personal).[25] 

6.1.2. Importanee/Relevance: With the inereased eonneetivity to the Internet and 
the wide availability of automated eraeking tools, organizations ean no 
longer simply rely on operating system seeurity to proteet their valuable 
eorporate data. The firewall has emerged as a primary tool used to prevent 
unauthorized aeeess. 

6.1.3. Objective: In this part, trainees will gain experience on firewalls. How 
they allow aeeess to key services while maintaining our Navy's seeurity, as 
well the underlying theory and the practieal application of a firewall system. 
By the end of this part, trainees will understand how a firewall works, 
identify types of firewalls, and ehoose a suitable firewall system. 

6.1.4. Time: 2 Hours 

6.2. Firewall Configurations 

6.2.1. Discussion: A rule-set that speeifies what serviees to let through a firewall, 
and whieh ones to keep out. A rule defines the parameters against whieh 
eaeh eonneetion is eompared, resulting in a decision on what action to take 
for eaeh eonneetion. The firewall eonfiguration is a eomplex aetivity. The 
eomplexity depends on the network topology and the seeurity poliey desired. 
Firewall eonfigurations vary from organization to organization. Most often, 
the firewall eonsists of several eomponents that ean be eonfigured in 
different ways. 
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6.2.2. Importance/Relevance: With network security becoming such a hot topic, 
a trainee might be assigned to implement or reassess a firewall 
configuration. 

6.2.3. Objective: In this part, trainees will be introduced to some common 
firewall configurations and some best practices for designing a secure 
network topology. At the end of this part trainees will be familiar with the 
most common firewall configurations and how they can increase security. 

6.2.4. Time: 2 Hour 

7. Cryptography 

7.1. Algorithms 

7.1.1. Definition: The art of protecting information by transforming it 
(encrypting it) into an unreadable format, called cipher text. Only those who 
possess a secret key can decipher (or decrypt) the message into plain text. 
Encrypted messages can sometimes be broken by cryptanalysis, also called 
code breaking, although modern cryptography techniques are virtually 
unbreakable.[25] 

7.1.2. Importance/Relevance: As the Internet and other forms of electronic 
communication become more prevalent, electronic security is becoming 
increasingly important. The use of cryptography is no longer a privilege 
reserved for governments and highly skilled specialists, but is becoming 
available for everyone to make use of. 

7.1.3. Objective: The objective of this part is to introduce the fundamentals of 
cryptography to trainees; specifically it will present basic terminology and 
concepts and describe how cryptography can be used to safeguard the 
confidentiality, authenticity and integrity of information. Trainees will learn 
the history and state-of-the art in cryptography, the relationship between 
cryptography and security, gain experience with basic encryption techniques 
including symmetric (DES,3DES), asymmetric (RSA, Elliptic curve) 
ciphers, hashing and how cryptography is used to authenticate the originator 
of information. 

7.1.4. Time: 2 Hours 
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12 . PKI 

7.2.1. Definition: Short for public key infrastructure, a system of digital 
certificates, Certificate Authorities, and other registration authorities that 
verify and authenticate the validity of each party involved in an Internet 
transaction. PKIs are currently evolving and there is no single PKI nor even 
a single agreed-upon standard for setting up a PKI.[25] 

7.2.2. Importance/Relevance: A public key infrastructure (PKI) is an 
increasingly critical component for ensuring privacy and authentication in an 
enterprise. This technology is capable of securing a wide range of 
applications across our Navy. Successful PKI deployment requires detailed 
knowledge of it. 

7.2.3. Objective: In this part, trainees will learn how certificate authority (CA) 
and public key infrastructure (PKI) technologies could be used to ensure the 
safety of their information assets. They will also evaluate the pros and cons 
of public and shared keys and define digital certificate, furthermore, they 
will drill down to the elements of a PKI, including certification authority, 
key backup and recovery and certificate revocation. They will discover why 
each piece is essential; learn how each one integrates into a PKI solution, 
review PKI implementation strategies and new developments. Finally, 
trainees will gain knowledge of digital signatures and how they can create 
them using a PGP program. 

7.2.4. Time: 2 Hours 

8. Steganography 

8.1.1. Definition: Steganography (from Greek steganos, or "covered," and 
graphic, or "writing") is the hiding of a secret message within an ordinary 
message and the extraction of it at its destination. Steganography includes a 
vast array of techniques for hiding messages in a variety of media. Among 
these methods are invisible inks, microdots, digital signatures, covert 
channels and spread-spectrum communications. Steganography takes 
cryptography a step farther by hiding an encrypted message so that no one 
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suspects it exists. Ideally, anyone scanning the data will fail to know it 
contains encrypted data. [25] 

8.1.2. Importance/Relevance: Steganography is destined to become more 
important as more people join the Cyberspace revolution and as the existing 
governments of the world attempt to regulate or prohibit the use of 
cryptography for personal privacy purposes. 

8.1.3. Objective: This part introduces steganography by explaining what it is, 
providing a brief history with illustrations of some methods for 
implementing steganography, and comparing available software providing 
steganographic services. Trainees need to know that steganography has its 
place in security. In addition, they it is important for them to recognize that it 
is not intended to replace cryptography but supplement it. They will learn 
how hiding a message with steganography methods reduces the chance of 
detecting that message. However, if that message is also encrypted, if 
discovered, it must also be cracked (yet another layer of protection). 

8.1.4. Time: 30 Minute 

9. System Hardening 

9.1. Patches 

9.1.1. Definition: A program that corrects a problem with or adds additional 
features to a particular software title. A patch is not a complete program by 
itself; it requires a version of the software already on a system. System 
hardening is a systematic process of securely configuring a system by adding 
patches to protect it against unauthorized access, while also taking steps to 
make the system more reliable. Generally anything that is done in the name 
of system hardening ensures the system is both secure and reliable. [28] 

9.1.2. Importance/Relevance: Due to the complexities involved, the process of 
hardening systems and network servers is frequently not undertaken. Often, 
users do not realize that the new machine they have deployed is hosting 
network services that are open to misuse. In any case most network 
operating systems and servers are typically deployed in the default 
configuration, which leaves them vulnerable. System hardening can greatly 
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reduce our vulnerability to misuse from the Internet and our internal 
network. 

9.1.3. Objective: This part describes the importance of hardening our systems by 
adding the new patches from vendors. Trainees should realize that system 
hardening is necessary since some operating systems tend to be designed and 
installed primarily to be easy to use rather than secure. Trainees will 
recognize that if we harden our systems we can have more confidence in the 
integrity of our data, performance improvements can be experienced since 
unnecessary services are removed and inefficiencies in system configuration 
are detected. 

9.1.4. Time: 30 Minutes 

9.2. Principle of Least Privilege Configuration 

9.2.1. Definition: The security guideline that a user should have the minimum 
privileges necessary to perform a specific task. This helps to ensure that, if a 
user is compromised, the impact is minimized by the limited privileges held 
by that user. In practice, a user runs within the security context of a normal 
user. When a task requires additional privileges, the user can use a tool such 
as Run as to start a specific process with those additional privileges or to log 
on as a user with the necessary privileges.[28] 

9.2.2. Importance/Relevance: There exists in the field of security the notion of 
performing tasks with just enough capability, or privilege, to get the job 
done, and no more. The principle of least privilege means that only the 
privileges the object needs to perform is assigned tasks. Least privilege is an 
important principle in countering attacks and limiting damage. POLP is 
extremely fundamental. It is applicable to every area of security: physical, 
personnel, communications, computer, networks, data, etc...) It should be 
applied to the maximum extend possible whenever and wherever possible. 

9.2.3. Objective: This part will enable trainees to know the principle of least 
privilege concept, what does it mean and what it protects from. Trainees will 
learn how the principle of least privilege is considered important for meeting 
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integrity objectives. They will learn how to ensure the least privilege that a 
user given by identifying what the user’s job. In addition, they will learn the 
importance of denying transactions that are not necessary for the 
performance of the user’s duties; and that these denied privileges cannot be 
used to circumvent the RSNF security policy. 

9.2.4. Time: 30 Minute 

10. Redundancy/Duplication Protection 

10.1. Data Backups and Types 

10.1.1. Discussion: Data backup is the activity of copying files or databases so 
that they will be preserved in case of equipment failure or other catastrophe. 
Backup is usually a routine part of the operation of large businesses with 
mainframes as well as the administrators of smaller business computers. For 
personal computer users, backup is also necessary but often neglected. The 
retrieval of files we backed up is called restoring them. [24] 

10.1.2. Importance /Relevance: Because data is the heart of our Navy and any 
organization, it is crucial for everybody to protect it. To protect our Navy's 
data, we need to implement a data backup and recovery plan. 

10.1.3. Objective: The primary objective of this part is to allow trainees to obtain 
an understanding of the underlying importance of data backup, the three 
different types of backup will be explained in this part, these types include 1) 
full 2) sequential 3) differential. Trainees will learn when to use what type of 
these three data backups. In this part trainees will be taught how to choose a 
backup device, a backup routine, perform timely backups, verily and 
validate backups and then document and archive backups 

10.1.4. Time: 1 Hour 

10.2. Redundant Systems 

10.2.1. Definition: Redundant describes computer or network system components, 
such as hard disk drives, servers, operating systems, switches, and 
telecommunication links that are installed to back up primary resources in 
case they fail. [24] 
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10.2.2. Importance/Relevance; Where it is inappropriate for networking, eomputer 
systems or data to be unavailable for the Navy’s eritical systems, or it would 
be impossible for reeovery to oeeur, redundant networking, eomputer 
systems and data storage must be in plaee. 

10.2.3. Objeetive: This part is intended for trainees to appreeiate the importanee 
of having redundant systems for the RSNF networks, and how these 
redundant systems eould baekup their networks. They will also learn the 
important parts of a network that need to be backed up by a redundant 
system, additionally, by the end of this part trainees could rationalize why 
these redundant systems should not be considered an extra cost to any IT 
project. 

10.2.4. Time: 30 Minute 

11. E-mail Security 

11.1. Discussion: The risks associated with the use of e-mail. The risks include 
information leakage, data integrity violations, repudiation, malicious code, 
SPAM, and others and how to mitigate these risks. 

11.2. Importance/Relevance: Email is a vital communications channel for 
organizations of all kinds. As a result, email systems have become an even more 
important component of their information infrastructure. Nevertheless, with the 
significant growth of spam, viruses and other types of email attacks it is more 
challenging to manage and protect this critical communications asset. Most email 
related security breaches arise directly or indirectly from lack of awareness or 
knowledge. 

11.3. Objective: This part covers the safer use of email services and how to 
implement security settings and features. The variety of potential threats posed 
by email services is also reviewed. Trainees will also learn the configurations and 
settings, as well as the use of an anti-spamming tool. By the end of this part 
trainees should understand how email works, identify types of email threats, how 
to defend themselves against email threats using security features in an email 
application finally they will be introduced to some email security tools. 

11.4. Time: 1 Hour 
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12. Laptop\ PDA Security 

12.1. Discussion: Laptop and PDA security can be broken down into two 
phases: physical security and access control/authentication. 

12.2. Importance/Relevance: Laptop computers and PDAs are popular these 
days and have become a prime target of thieves. These thieves are not only 
targeting these devices for the value of the device itself, but also for the sensitive 
data contained therein. 

12.3. Objective: This part will describe methods trainees can use to protect their 
laptops and PDAs against physical and data theft. It will discusses technical 
measures for protecting information on these devices if it is stolen or entered 
covertly, and notes special problems relating to traveling with these devices. 

12.4. Time: 1 Hour 

13. Modem Security 

13.1. Discussion: MOdulator DEModulator. A piece of communications 
equipment, which enables a computer to send transmissions through analog 
telephone lines. 

13.2. Importance/Relevance: Modems when connected to the Internet pose a 
great threat to systems and networks. Users with dial-up Internet access from 
their desktops are the second-biggest security risk in corporations after internal 
hacking, according to Mark Graff, network security architect at Sun 
Microsystems. 

13.3. Objective: Modems and other high-speed connections are becoming 
increasingly more available. Trainees will learn the security breaches related to 
the use of a modem to get an internet connection within the Navy’s network. 

13.4. Time: 1 Hour 
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B, TECHNIQUES FOR DELIVERING THE AWARENESS TRAINING 
MATERIAL 

To be effective, a security program like ISATP must be supported by trained 
personnel who understand all aspects of information security as it pertains to the RSNF 
operations. Such critical preparation cannot be obtained in a “one size fits all,” “off-the- 
shelf’ educational program. It’s recognized that professional trainers produce professional 
results, therefore we have to select and prepare a group of trainers who have a full 
understanding of the RSNF’s daily operations and have sufficient experience in information 
security. The selected group will then be enrolled in one of the information security courses 
offered by either a commercial company or governmental organization. The benefit of this 
“training the trainer” process will be to have trainers with a solid foundation of skills and 
knowledge in information security. 

To successfully implement a security awareness training program for RSNF end-users 
we should use internal resources. In RSNF we have several methods of training, and we 
should identify the best method for achieving the ISATP goals. The good thing about these 
methods is that the implementation costs associated with them are mostly time related, as 
awareness-level training is not dependent upon an extensive lab/equipment infrastructure. 
Individuals learn in different ways, and each has a preferred or primary learning style. The 
teaching approach most effective for individuals is a function of their preferred learning 
style, education, and prior experience. In learning information or concepts, some students 
will do better through reading; others prefer to listen to a lecture, whereas others need to 
participate in a discussion in order to understand the material. ISATP Instructors should be 
aware of these learning style differences and should use a variety of teaching approaches and 
presentation formats, including classroom instruction, computer-based instruction, manuals, 
self-paced instruction books, and videotapes. [29] 

Despite the fact that ISATP delivery should be multi-faceted, this thesis will not 
propose ISATP material that are suitable for all these formats and delivering techniques 
mentioned earlier in this chapter. We should also realize that specific formats may be 
particularly well suited to some circumstances, for example, the training technique used to 
train a ship crew is likely to be different from the training technique used to train another 
group in a shore facility, due to the obvious issue of trainee availability. I think that the key 
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to effective training is to find the right mix of delivery styles for each unique situation; yet it 
would be great if we can offer ISATP in all the delivery techniques and afford the training to 


everybody in the RSNF. Some of the available delivery techniques include: 


Technique 

Definition 

Example/Uses 

Advantages 

disadvantages 

Web-Based Training 
(WBT) 

Self-paced, 
interactive training 
available on the 
Internet. 

Employees need to 
access “just in time and 
just enough” training at 
the time of the need. 

Employees may be 
working on varying 
platforms (Windows, 
Macintosh, and Unix). 

Allows easy access 
anytime and virtually 
anywhere. 

Allows simple update 
to content. 

May use a variety of 
multimedia effects to 
draw the user in. 

May be linked to 
resources outside of the 

course. 

Requires computer and Internet 
access. 

Requires self-motivation to 
complete the training. 

Mnltimedia-based 
Training (MBT) 

Self-paced 
interactive training 
presented on a 
CD-ROM using a 
variety of 
multimedia (e.g., 
audio and video). 

Employees are 
geographically dispersed 
or otherwise unable to 
attend scheduled 
training. 

Employees may be 
unable to access the 
Internet. 

Allows easy access to 
training on a desktop or 
laptop. 

Does not need access to 
the Web. 

Is not able to take advantage of 
the power of the Web. 

Online Help 

Quick and 
immediate access 
to information 
about a specific 
task delivered to a 
user at the user’s 
request. 

Users need quick access 
to information or a 
quick refresher to get 
the job done. 

Users need a quick cue, 
tip, or prompt when they 
roll the mouse over a 

screen area. 

Users need an online 
tutorial that can be 
attached to the 
application. 

Allows user to get help 
and keep working. 

Allows limited detail. 

Distanee Learning 

An instructor-led 
approach where 
the instructor and 
participant are 
separated by place 
or time. 

An instructor posts 
lessons and exercises, 
and participants work 
independently yet have 
regular online chats with 
the instructor. 

Employees are scattered 
geographically. 

Schedules prevent 
employees from 
attending face-to-face 
training. 

Avoids costly travel for 
geographically 
scattered employees. 

Avoids the need to be 
physically in a 
classroom. 

Provides some 
interaction between the 
instructor and 
participants. 

Allows limited interaction with 
other participants and the 
instructor. 

Reference 

Docnmcntation 

Factual or 
procedural 
information that 
supports a person 
doing a particular 
job after initial 
learning has 
occurred. 

Information includes job 
aids, charts, posters, 
user manuals, and 
reference guides. 

Helps sustain learning. 

Serves as ongoing 
reference. 

Allows users easy 
access to structured 
information. 

No interaction, 
boring 
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Technique 

Definition 

Example/Uses 

Advantages 

disadvantages 

Face-to-face Training 

An interactive, 
instructor-led 
approach where 
the instructor and 
employee meet in 
a classroom for a 
specific duration 
of time in a 
common location. 

Participants benefit from 
practice and feedback. 

Subject matter requires a 
classroom or laboratory 
situation. 

Allows participant and 
instructor to carry on 
detailed conversations 
about unclear points. 

Requires participants to travel to a 
certain location during a particular 
time period. 


Tables. Training Delivery Teehniques. From Ref. [30] 


C. EVALUATION AND FEEDBACK 

The ability to traek and measure results of any training program is of highest 
importanee to our Navy, so we ean aseertain the effeetiveness of the training program and 
analyze the return on investment. Therefore, we should offer an effeetive means for this 
training program to easily develop surveys, whieh ean be attaehed to published training 
materials, and returned to the Information and Computer Department for proeessing of 
results. The results ean be reviewed by the publishers to evaluate the effectiveness of the 
materials, and thus offer a means for measuring the return on investment. Practical evidence 
such as feedback from presenters, audiences, and supervisors is one of the most useful 
sources of measurement and evaluation of the program. Aspects of the ISATP that can be 
measured include: 

• Audience satisfaction - this can be measured after-the-fact with course or 
presentation evaluations or surveys about the awareness training program. 
Evaluations, where the audience is asked to rate the program or activity on a 
scale, measure how well the audience liked the course, activity, or materials. 
User feedback may be requested on the relevance and the effectiveness. 
Asking for suggestions is also a good approach. 

• What information the audience has learned (i.e., learning or teaching 
effectiveness). This can be measured with behavioral objective testing. 
Pre/post tests and surveys are useful in determining what the audience 
remembered. Unless a pre-test or preliminary survey is conducted, measuring 
change is difficult. 
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• Skill transfer /audience performance. This type of evaluation goes beyond the 
learner to gather input from an outside evaluator, such as a supervisor, 
security / incident response personnel, or help desk personnel. Follow-up 
interviews, walk-through testing, help desk / incident reporting statistics, and 
audit findings can be used to measure improvements in awareness and job 
performance. Improvements are measured by comparing pre- and post-test or 
survey scores. [31] 

D, ONGOING IMPROVEMENT 

The training department needs to complete a formal rating evaluation after each 
course and at the end of the training year to indicate their satisfaction with the training 
experiences and outcomes, quality of material provided, and facilities and resources 
available. The Information and Computer Department will review the training satisfaction 
ratings and take reasonable steps to address any areas of concern. Interviews with the ISATP 
teachers by the training officers will be completed at the end of the training year to gather 
additional feedback about the training experience in order to facilitate the continuous 
improvement of the information security awareness training program (ISTAP). It is expected 
that the program teachers will provide feedback to program supervisors in training 
department on an ongoing basis, as well, concerning their needs and the extent to which the 
training activities are fulfilling their goals. This ongoing feedback process, which will 
continue for the next program year, will enable the Information and Computer Department to 
incorporate mid-course changes as needed. The cumulative results of this year's evaluations 
will provide information on the effectiveness of the ISATP program on the RSNF 
employees’ skills, attitudes, and behavior; as well as the effectiveness of the lecturers’ 
instructional styles. 
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V. CONCLUSION AND RECOMMENDATION 


A, CONCLUSION 

For many organizations, taking a long, hard look at information assets and what is 
being done to proteet them has become as important as adding new systems. And knowing 
how to protect information assets is rapidly becoming one of the most critical educational 
needs of the new century. Information security training is essential to safeguard operations 
continuity, minimize the potential risk from damage, avoid and reduce the impact of security 
related incidents. Effective Information Security training will enable RSNF employees to 
share data in a more secure environment, whilst ensuring the protection of systems and other 
RSNF IT resources. Computing facilities and the information systems they support have 
become increasingly accessible as a result of the explosion of the open, public internet and 
the expanded use of the computer systems in all aspects of operations in the RSNF. A great 
deal of attention is now being focused on this issue. Regrettably this attention was not 
followed by actions to elevate the RSNF employees to an acceptable level of security 
awareness training. 

Security awareness training pushed by the modern-threats to computers and systems, 
the necessity of having a more secure working environments in the Navy and the mixing of 
various security responsibilities to each and everyone in the RSNF, led to the need of 
developing an awareness training program for the RSNF. The purpose of this thesis has been 
to evaluate some of the existing information security courses offered by some commercial 
company’s and educational institutions, this evaluation helped to select the appropriate 
material that best fit the needs of the RSNF. 

The Information Security Awareness Training Program (ISATP) provides detailed, 
specific information to help the Saudi Navy in starting a basic course to train its employees in 
Information Assurance (lA). RSNF should measure the effectiveness of the ISTAP and the 
extent to which this program is useful to the Navy and are sensible spending of training 
resources. As this thesis has shown, security training is intended to all RSNF employees with 
all different responsibilities they might have, everyone with a computer connected to a 
network is exposed to situations that might require some sort of training that bring forth an 
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appropriate response. For this reason, the ISATP material eovers a broad-speetrum of lA, to 
meet the needs of the mixture backgrounds and expertise among the trainees’, this program 
will serve as a solid foundation for the RSNF employees and to make them knowledgeable of 
their role in protecting the Navy’s information. There is certainly more to be done, however. 
I consider this thesis the first step of what I hope will be an extended study of information 
security training in the future. 


B. RECOMMENDATIONS FOR FUTURE WORK 

This thesis did not attempt to solve the entire problem of not having an information 
security training program in the RSNF, yet it makes the first move toward having such a 
program, this move is intended to help the RSNF IT personnel in developing a basic ISATP 
to train all the RSNF employees. This thesis is advisory and not directive. It provides 
guidance on specific requirements that may influence the strategies of developing, delivering 
and implementing ISATP to the Navy. This thesis does not establish or originate the 
complete ISATP. Instead, its purpose is to clarify the importance, essential contents and 
depth of coverage of a complete ISATP. Methods described in this thesis represent 
recommended approaches to meet RSNF security requirements; RSNF may choose other 
approaches that provide assurance that these requirements are met. However, recommended 
approaches and criteria set forth in this thesis for the development, delivering, and 
implementation of security training may be used as the basis for building a comprehensive 
ISATP. 


It was shown that in order to train the vast majority of the RSNF employees we need 
to consider the different delivering techniques available to solve the problem of trainee’s 
availability. Further research into proposing materials suitable for the different techniques 
enclosed in chapter four of this thesis is recommended for future studies. In addition to the 
suitability of the proposed material to the delivering techniques, these materials should be 
designed to fulfill the unique RSNF security training needs such as training the network 
administrators and information security officers. It is also recommended that additional 
research be done on providing a computer lab with all the tools needed for such training; 
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these tools may inelude (password eraeking software, intrusion deteetion systems, firewalls, 
and Steganography tools....ete). 

Another eentral and important issue deserving further study is the examination of the 
effeetiveness of the ISTAP program. This study should also address the need to keep the 
ISATP eurrent and relevant. Sueh ongoing evaluation is an essential eomponent of any 
training program. This is espeeially true in sensitive fields sueh as information seeurity, 
where the reeipients of the training direetly affeet the operations of the Navy. 
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APPENDIX A - SANS TRACK 1 COURSE OUTLINE 


This appendix is provided to list the terminologies and core concepts covered in; 
Security essentials course. 


DAY 

Topic 

Terminologies and core concepts covered 

Day 1 

Network Fundamentals 

Network Types (LANs, WANs) 

Network Topologies 

Ethernet, Token Ring 

ATM, ISDN, X.25 

Wireless 

Wiring 

Network Devices 

VLANS 

Voice over IP 


Network Layer Security Protocols 

IPSec 

SKIP 

SWIPE 


Application Layer Security Protocols 

S/MIME 

SET 

PEM 


IP Concepts 

Packets and Addresses 

IP Service Ports 

IP Protocols 

TCP 

UDP 

ICMP 

DNS 


IP Behavior 

TCPdump 

Recognizing and Understanding 

UDP 

ICMP 

UDP Behavior 


lOS and Router Filters 

Routers 

lOS 

Routing 

Routing Protocols 

Access Control Lists 


Host-based Perimeter Protection 

Vulnerabilities 

Four Primary Threats 

Personal Firewalls 


Physical Security 

Facility Requirements 

Technical Controls 

Environmental Issues 

Personal Safety 

Physical Security Threats 

Elements of Physical Security 


Hardware Architecture 

Memory Types 

Machine Types 

Operating System States 

Storage Types 

Operating System Protection Mechanisms 

Day 2 

Information Assurance Foundations 

Threat Model 

Authentication vs. Authorization 

Data Classification 

Vulnerabilities 

Defense In-Depth 


Computer Security Policies 

Elements When Well Written 

How Policies Serve as Insurance 

Roles and Responsibilities 
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DAY 

Topic 

Terminologies and core concepts covered 


Contingency and 

Continuity Planning 

Legal and Regulatory Requirements 

Disaster Recovery Strategy and Plan 


Business Impact Analysis 

Emergency Assessment 

Business Success Factors 

Critical Business Functions 


Password Management 

Password Cracking for Windows and Unix 

Alternate Forms of Authentication (Tokens, Biometrics) 

Single Sign On and RADIUS 


Access Control Techniques 

Discretionary Access Control (DAC) 

Mandatory Access Control (MAC) 

Lattice, Rule and Role Based, and Tokens/Tickets 


Access Control Modes 

Bell LaPadula (BLP) 

Biba, Clark Wilson and Non-Interference 

State Machine and Information Flow 


Access Protocols 

CHAP 

PAP 


Incident Handling 

Preparation, Identification and Containment 

Eradication , Recovery and Lessons Learned 

Evidence Handling and Laws 

Investigation Techniques and Computer Crime Ethics 


Offensive and Defensive Information 
Warfare 



Web Security 

Web Communication 

Web Security Protocols 

Active Content 

Cracking Web Applications 

Web Application Defenses 


Data Warehousing 

Aggregation and Data Mining 

Inference, Polyinstantiation and Multi-level Security 


System Development 

System Development Life Cycle and Security Control Architecture 
Service Level Agreements (SLAs) 

Programming Techniques and Secure Programming 

Remote Procedure Calls (RPCs), Flaws and Issues 


Types of Systems 

Knowledge Based, Expert Systems and Neural Networks 

Day 3 

Host-based Intrusion Detection 

TCP Wrappers, Nuke Nabber, Back Officer Friendly, AtGuard 

Syslog 

Tripwire 

Forensics 


Network-based Intrusion Detection 

Commercial Tools 

CIDF, CVE 

Shadow 


Methods of Attacks 

Brute Force 

Denial of Service 

Spoofing 

Pseudo Flaw 

Alteration Code 

Logic Bomb 

Trap Door 

Interrupts 

Inference 

Traffic Analysis 

Flooding 

Spamming 


Honey pots 

What They Are and How to Deploy Them 

Deception Toolkit 


Firewalls and Perimeters 

Firewalls and Policy Enforcement 

Packet Filtering, State Aware and Proxy 

Intrusion Detection Using Firewall Logs 

Effect of Firewalls on IDS Sensors 

Firewall Avoidance Techniques, Modems and Backdoors 


Risk Assessment and Auditing 

Introduction to Risk Management 

Calculation of Acceptable Loss 

Dollar Driven vs. Qualitative 

Knowledge Based (Accreditation) 

Securing NT Step-by-Step 

Introduction to Auditing 

Risk Assessment Checklists 
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DAY 

Topic 

Terminologies and core concepts covered 



Vulnerability Scanners 

Common Vulnerability and Initiative 

Saint 

Nessus 

ISS Security Scanner 

War Dialing 

Penetration Testing 


Security Policy 

How All These Capabilities Work Together 

Automated Response 

Chain of Custody and Legal Issues 


Introduction to Information Warfare 

Know Your Enemy-Ankle Biters to Full IW 

Cyberwar in the Real World 

Cyberwar Scenario 


Future Directions 

Where These Technologies are Heading 

Day 4 

Cryptography 

Need for Cryptography 

Types of Encryption 

Symmetric 

Asymmetric 

Hash 

Ciphers 

Digital Substitution 

Algorithms 

Real-world Cryptosystems 

Crypto Attacks 

VPNs 

Types of Remote Access 

PKI 

Digital Certificates 

Key Escrow 


Steganography 

Types 

Applications 

Detection 


PGP 

Installing and Using PGP 

Signing Data and What It Means 

Key Management 

Key Servers 


Anti-Viral Tools on Desktops 

Malicious Code 

Virus and Hoax Information 

Organizational Anti-viral Policy 

Desktop Anti-viral Care, Feeding, 

Recovery of Damaged Files and Systems 


Operations Security 

Legal Requirements 

Administrative Management 

Individual Accountability 

Need to Know 

Privileged Operations 

Control Types 

Operation Controls 

Reporting 

Days 

The Security Infrastructure 

The Windows Family of Operating Systems 

Workgroups And Local Accounts 

What Is Active Directory? 

Domain Users and Groups 

Kerberos, NTLMv2, Smart Cards 

Forests and Trusts 

What is Group Policy? 


Permissions and User Rights 

NTFS Permissions 

File and Print Sharing Service 

Shared Folders 

Encrypting File System 

Shared Printers 

The Registry and Registry Permissions 

User Rights 


Security Policies and Templates 

Group Policy Objects 

Password Policy 

Lockout Policy 

Anonymous Access 
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DAY 

Topic 

Terminologies and core concepts covered 



Software Restriction Policies 

NTLMv2 Authentication 

Protecting Critical Accounts 


Service Packs, Patches and Backups 

Service Packs 

E-Mail Security Bulletins 

Hotfix Network Checker (HFNETCHK.EXE) 

Patches Installation 

Windows and System Update 

Software Update Services 

Windows Backups 

System Restore 

Device Driver Rollback 


Securing Network Services 

The Best Way To Secure A Service 

Firewalls and Packet Filtering 

IPSec and VPNs 

Wireless Networking 

Internet Information Server (IIS) 

IIS Lockdown Tool 

URLSCAN 

Terminal Services 


Auditing and Automation 

Microsoft Baseline Security Analyzer 

CIS Scoring Tool 

SECEDIT.EXE 

Windows Event Logs 

NTFS and Registry Auditing 

IIS Logging 

Creating System Baselines 

Scripting Tools 

Scheduling Jobs 

Day 6 

Patching and Software Installation 

The Need for Patches 

Obtaining and Installing System Patches 

Managing Third-party Software Apps 


Minimizing System Services 

Guidance for Dangerous Services 

Controlling Services at Boot Time 

Inetd and xinetd 

IP-based Access Control 


Logging 

Syslog and Other Standard Logs 

System Accounting 

Process Accounting 


Warning Banners 

Sample Warning Banner Texts 

Standard Warning Banner Config 

Banners for Networked Services 


Access Control 

Usernames, UIDS, the Superuser 

Blocking Accounts, Expiration, etc. 

Restricting Superuser Access 

Boot-level Access Control 

Disabling .rhosts 


Additional Security Configuration 

File System Access Control 

Kernel Tuning for Security 

Security for the cron System 


Backups and Archives 

tar, dump, and dd 

Tricks and Techniques 

Networked Backups 


Table2. Terminologies and Core Concepts Covered by SANS Security Essential 

Course Topics. From Ref. [4] 
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APPENDIX B - NPS INFORMATION ASSURANCE (lA) 
COMPUTER SECURITY COURSE OUTLINE 


This appendix is provided to list the terminologies and core concepts covered in 


NPS Information Assurance (lA): Computer Security Course. 


Week 

Topic 

Terminologies and core concepts covered 

Week 1 

Section 1: Introduction to 

Information Assurance Computer 

Security 

Section 2: Access Control, 

Identification & Authentication, 

and DAC 

INFOSEC 

COMPUSEC 

Date Secrecy Vice Data Integrity 

Policies and Assurance 

Threat Models (Amateur & Professional) 

Trusted systems 

Ethics and Computer Security 

History of Computer Security 

Information Warfare 

Cost of security 

Simple System Access Control 

Identification and Authentication 

Passwords and Password Files 

Password Attacks and Cracking 

Password Selection 

LAN Manager (LanMan) 

Authentication Tokens 

Biometrics 

Reply Attacks 

Challenge and response Protocol 

Login Spoofing Programs 

Trusted Path 

Modems (Legitimate & Illegitimate) 

Data Access Control 

Permission Bits 

Capability List 

Access Control Lists (ACLs) 

W2K ACLs 

Week! 

Access Control, MAC & 

supporting policies 

Labeled Data 

Label-Based Policies 

MAC policies 

Bell and LaPadula Model (BLP) 

Compartments and Levels 

An Integrity Model 

The Biba Model 

Covert Channels 

Storage channels 

Disk Exhaustion Channel 

Timing Channel 

Multilevel Subjects 

Supporting Policies 

Limitations of Access Control 

Week 3 

Building Secure Systems & 
Assurance Issues 

Assurance Vice Policies 

Terms and Concepts 

Reference Monitor 

Protection of Memory 

Segmentation of Memory 

Separation of Processes 

MAC Labeling 

Protection Domains 

Intel Privilege Level (PL) Protection Mechanism 

An Intel Gate Call 

Ring Brackets 

Modularity 

Layering 

Data -Hiding/ Information Hiding 
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Week 

Topic 

Terminologies and core concepts covered 



Analysis 

Formal Methods Analysis 

Security Models 

Medium and High Assurance Use 

More Security Models 

Week 4 

Malicious Software & Attacks 

Viruses 

Worms 

Trojan Horses 

Backdoors/ Trapdoors 

Packet Sniffing 

Buffer Overflow Attacks 

The Smurf Attack 

IP Spoofing 

Ping Command 

Unix Backdoors 

Social Engineering 

Week 5-6 

System Accreditation & 
Certification 

System Evaluation 

TCSEC (Orange Book) 

Common Criteria 

Orange book Requirements 

CC Requirements 

EAL 

Accreditation and Certification 

Designated Approved Authority ( DAA) 

Operating Modes 

DITSCAP 

System Security Authorization Agreement (SSAA) 

System Characteristics 

Certification Levels 

Certification Analysis Tasks 

Certification and Evaluation of the Integrated Systems 

Vulnerability or Risk Analysis Issues 

Annual Loss Expectancy(ALE) Based Risk Analysis 

Controls and Safeguards 

NAVSO PUB 5239-16 

Risk Analysis Method Comparisons 

Week 6-7 

Basics of Cryptography 

Terms and Notations 

Types of Cryptography 

Keys 

Conventional Cryptography 

Public Key Cryptography 

Caesar Cipher 

Shift Cipher 

General Substitution Cipher 

Polyaphabetic Substitution Ciphers 

Vigenere Cipher 

One -Time- Pad Cipher 

Binary Substitution Ciphers 

Transposition Permutation Technique 

Multiple Stage Ciphers 

Plain Text Attack 

Confusion 

Diffusion 

Advanced Encryption Standard (AES) 

Digital Encryption Standard (DES) 

S-Boxes 

Block Cipher Modes 

Electronic Code Book Mode(ECB) 

Cipher Block Chaining Mode(CBC) 

Output feed Back Mode(OFB) 

Cipher Feed Back Mode(CFB) 

Triple DES 

Other conventional Ciphers 

Public Key Cryptography 

Public Key Distribution 

Public Key Algorithm 

Rivest-Shamir-Adleman (RSA) Algorithm 

Conventional Vice Public Key Encryption 
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Week 

Topic 

Terminologies and core concepts covered 



Hashing 

Message Authentication Codes (MACs) 

Weeks 

Cryptographic Protocols 

Services Provided by cryptosystems 

Protocols 

Arbitrated Protocol 

Adjudicated Protocol 

Self-Enforcing Protocol 

Integrity 

Integrity With Conventional Cryptography 

Integrity Protocol Examples 

Authentication with Conventional Cryptography 

Secrecy With Public Key Cryptography 

Integrity With Public Key Cryptography 

Authentication With Public Key Cryptography 

Integrity and Authenticity With Public Key Cryptography 

Digital Signatures 

Non-Repudiation Protocol 

Key Distribution 

KEY Distribution Center (KDC) 

Hybrid Scheme and Hybrid Encryption Scheme 

Timestamps 

Nonces 

Week 9 

Network Security I: Basics 

Packet Switched Networks 

Circuit Switched Networks 

Circuit Vice Packet Switched Networks 

Network Attacks 

Threats to Network Security 

Network Encryption 

End-To-End Encryption 

Link Encryption 

Link Encrypted Network 

Virtual Private Networks (VPNs) 

Gateway-To-Gateway VPN 

Client-To Gateway VPN 

OSI Reference Model 

Network Security Policies 

Network Evaluation 

Week 10-11 

Network Security II: TCP/IP, 

Firewalls & Intrusion Detection 

TCP/IP 

IP Protocol 

TCP Protocol 

TCP Port Numbers 

Encapsulation 

UDP Protocol 

ICMP protocol 

Packet Sniffing 

IP Spoofing 

Three-Way Handshake 

Firewalls 

Static Packet Filters 

Dynamic Packet Filters 

Application Gateways 

Firewall Network Configuration 

Intrusion Detection Systems (IDSs) 

Host-Based IDS’s 

Network-Based IDS’s 

Distributed Sensor Systems 

Honey Pots 

Week 11-12 

Network Security III 

Public Key Infrastructure (PKI) 

Digital Signatures 

Public Key Distribution 

Certificates 

Certificate Authorities (CAs) 

Private Key Storage 

Creation of Certificates 

X.505 Certificate Standard 

Certificate Revocation Lists (CRLs) 


Table 3. Information Assurance (lA): Computer Security Course. From Ref [6] 
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APPENDIX C - LTI INTRODUCTION TO SYSTEM AND 
NETWORK SECURITY COURSE OUTLINE 


This appendix is provided to list the terminologies and core concepts covered in 
Learning Tree International-. 


Day 

Topic 

Terminologies and core concepts covered 

Day 1 

ESTABLISHING YOUR 

Real threats that impact security 


ORGANIZATION'S SECURITY 

• 

Hackers inside and out 



• 

Masqueraders and counterfeiters 



• 

Eavesdropping 



• 

Spoofing 



• 

Sniffing 



• 

Trojan horses 



• 

Viruses 



• 

Bombs 



• 

Wiretaps 



A security policy: the foundation of your protection 



• 

The four objectives: availability, integrity, confidentiality 

and authenticity 



• 

Maximizing threat reduction 



• 

Assessing your exposure 



• 

Implementing the countermeasures 


NETWORK INTERCONNECTIONS: 

Basic operating system and TCP/IP concepts I 


A MAJOR POINT OE 
VULNERABILITY 

• 

Login accounts and passwords 

File/directory access permission 


# 



• 

Some well-known security gaps 



Early system security improvements 



• 

DES encryption 



• 

Shadow passwords 



• 

Dialback/dialer passwords 

Day 2 

DETERRING MASQUERADERS 

Impersonating users 


AND ENSURING AUTHENTICITY 

• 

Stealing passwords 



• 

“Borrowing” IP addresses 



How masqueraders infiltrate a system 



• 

Brute force guessing 



• 

Using crack to discover passwords 



• 

Replaying network login exchanges 



• 

Planting a Trojan horse 



Holding your defensive line 



• 

Hiding passwords 



• 

Implementing packet filters 



• 

Adopting strong authentication with Kerberos and other 

tools 



• 

Authenticating users with public key encryption 


PREVENTING EAVESDROPPING 

Unauthorized listening and looking I 


TO PROTECT YOUR 

• 

Peeking at files 


CONEIDENTIALITY 

• 

Snooping with analyzers & wiretaps 



Countering the eavesdropper 



• 

File and data encryption 
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Day 

Topic 

Terminologies and core concepts covered 



• Hiding behind firewalls 

• Using SSL to maintain Web confidentiality 

Day 3 

THWARTING COUNTERFEITERS 
AND FORGERY TO RETAIN 
INTEGRITY 

The forger's arsenal 

• Hacking e-mail messages 

• Censoring system logs 

• Scrambling the routing tables 

Shielding your assets 

• Encrypting files and messages 

• Using digital signatures to protect transactions: PGP/MD5 

• Protecting logs with immutable files 

• Adopting advanced routing protocols 


AVOIDING DISRUPTION OF 
SERVICE TO MAINTAIN 
AVAILABILITY 

Denial-of-service attacks 

• Delivering viruses and bombs via the Web 

• Data flooding 

Constructing your bastions 

• Smart MUAs 

• Anti-virus toolsets 

• Imposing quotas on processes, files and accounts 

The importance of firewalls 

• Using a packet filter to shield against bombardment 

• Using application proxies to manage Internet 

communications 

Day 4 

FIREWALLS AND FIREWALL 
TOPOLOGIES 

Choosing the right firewall 

• Packet filters 

• Circuit level 

• socks 

• Application proxies gateway 

Firewall topologies 

• Using supportive technologies to provide “defense in 

depth” 

• Creating virtual private networks (VPNs) using firewall-to- 

firewall encryption 

• Setting up the “demilitarized zone” 

• Sitting externally accessible servers 


DEVELOPING YOUR SECURITY 
POLICY 

Steps to take now 

• Conducting a threat reduction analysis 

• Determining the appropriate countermeasures 

• Producing your action plan 

• Choosing the right tools 

Responding to attacks 

• Assigning responsibilities 

• Limiting damage 

• Choosing the appropriate response 

• Keeping up with new vulnerabilities 


Table 4. Learning Tree International- Introduetion to System and Network Security 

Course. From Ref. [7] 
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APPENDIX D - LAPTOP SOLUTIONS COMPTIA SECURITY+tm 
CERTIFICATION EXAM TRAINING COURSE OUTLINE 


This appendix is provided to list the terminologies and core concepts covered in 


Laptop Solutions CompTIA Security+™ Certification Exam Training Course. 


Section 

Topic 

Terminologies and core concepts covered 

Sect 

General Security Concepts 

Access Control 

• MAC/DAC/RBAC 

Authentication 

• Kerberos 

• CHAP 

• Certificates 

• Usemame/Password 

• Tokens 

• Multi-Factor 

• Mutual Authentication 

• Biometrics 

Non-essential Services and Protocols -( Disabling unnecessary 

systems / process / programs). 

Attacks 

• DOS/DDOS 

• Back Door 

• Spoofing 

• Man in the Middle 

• Replay 

• TCP/IP Hijacking 

• Weak Keys 

• Mathematical 

• Social Engineering 

• Birthday 

• Password Guessing 

> Brute Force 

> Dictionary 

• Software Exploitation 

Malicious Code 

• Viruses 

• Trojan Horses 

• Logic Bombs 

• Worms 

Social Engineering 

Auditing - Logging, system scanning 

Sec 2 

Communication Security 

Remote Access 

• 802. lx 

• VPN 

• RADIUS 

• TACACS/+ 

• L2TP/PPTP 

• SSH 

• IPSEC 

• Vulnerabilities 

Email 

• S/MIME 

• PGP 

• Vulnerabilities 

> Spam 

> Hoaxes 

Web 

• SSL/TLS 

• HTTP/S 

• Instant Messaging 
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Section 

Topic 

Terminologies and core concepts covered 



• LTS INFORMATION 7/16/02 1 

• Vulnerabilities 

• Naming Conventions 

• Packet Sniffing 

• Privacy 

Vulnerabilities 

• Java Script 

• ActiveX 

• Buffer Overflows 

• Cookies 

• Signed Applets 

• CGI 

• SMTP Relay 

Directory - Recognition not administration 

• SSL/TLS 

• LDAP 

File Transfer 

• S/FTP 

• Blind FTP/Anonymous 

• File sharing 

• Vulnerabilities 

> Packet Sniffing 

Wireless 

• WTLS 

• 802.1 lx 

• WEP/WAP 

• Vulnerabilities 

> Site Surveys 

Sec 3 

Infrastructure Security 

Devices 

• Firewalls 

• Routers 

• Switches 

• Wireless 

• Modems 

• RAS 

• Telecom/PBX 

• VPN 

• IDS 

• Network Monitoring/Diagnostic 

• Workstations 

• Servers 

• Mobile Devices 

Media 

• Coax 

• UTP/STP 

• Fiber 

• Removable media 

> Tape 

> CDR 

> Hard drives 

> Diskettes 

> Flashcards 

> Smartcards 

Security Topologies 

• Security Zones 

> DMZ 

> Intranet 

> Extranet 

• VLANs 

• NAT 

• Tunneling 

Intrusion Detection 

• Network Based 

> Active Detection 

> Passive Detection 

• Host Based 
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Section 

Topic 

Terminologies and core concepts covered 



> Active Detection 

> Passive Detection 

• Honey pots 

• Incident Response 

Security Baselines 

• OS/NOS Hardening (Concepts and processes) 

> File System 

> Updates (Hotfixes, Service Packs, Patches) 

• Network Hardening 

> Updates (Firmware) 

> Configuration 

- Enabling and Disabling Services and 

Protocols 

- Access control lists 

Application Hardening 

• Updates (Hotfixes, Service Packs, Patches) 

• Web Servers 

• Email Servers 

• FTP Servers 

• DNS Servers 

• NNTP Servers 

• File/Print Servers 

• DHCP Servers 

• Data Repositories 

> Directory Services 

> Databases 

Sec 4 

Basics of Cryptography 

Algorithms 

• Hashing 

• Symmetric 

• Asymmetric 

Concepts of using cryptography 

• Confidentiality 

• Integrity 

> Digital Signatures 

• Authentication 

• Non-Repudiation 

> Digital Signatures 

• Access Control 

PKI 

• Certificates - Make a distinction between what 
certificates are used for what purpose. Basics only. 

> Certificate Policies 

> Certificate Practice Statements 

• Revocation 

• Trust Models 

Standards and Protocols 

Key Management/Certificate Lifecycle 

• Centralized vs. Decentralized 

• Storage 

> Hardware vs. Software 

> Private Key Protection 

• Escrow 

• Expiration 

• Revocation 

> Status Checking 

• Suspension 

> Status Checking 

• Recovery 

> M of N Control 

• Renewal 

• Destruction 

• Key Usage 

> Multiple Key Pairs (Single, Dual) 

Sec 5 

Operational/Organizational Security 

Physical Security 

• Access Control 

> Physical Barriers 
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Section 

Topic 

Terminologies and core concepts covered 



> Biometrics 

• Social Engineering 

• Environment 

> Wireless Cells 

> Location 

> Shielding 

> Fire Suppression 

Disaster Recovery 

• Backups 

> Off Site Storage 

• Secure Recovery 

> Alternate Sites 

• Disaster Recovery Plan 

Business Continuity 

• Utilities 

• High Availability / Fault Tolerance 

• Backups 

Policy and Procedures 

• Security Policy 

> Acceptable Use 

> Due Care 

> Privacy 

> Separation of duties 

> Need to Know 

> Password Management 

> SLA 

> Disposal / Destruction 

> HR Policy 

Termination - Adding / revoking 
passwords, privileges, etc. 

Hiring - Adding / revoking 
passwords, privileges, etc. 

Code of Ethics 

• Incident Response Policy 

Privilege Management 

• User/Group/Role Management 

• Single Sign-on 

• Centralized vs. Decentralized 

• Auditing (Privilege, Usage, Escalation) 

• MAC/DAC/RBAC 

Forensics (Awareness, conceptual knowledge and understanding - 
know what your role is) 

• Chain of Custody 

• Preservation of Evidence 

• Collection of Evidence 

Risk Identification 

• Asset Identification 

• Risk Assessment 

• Threat Identification 

• Vulnerabilities 

Education - Training of end users, executives and HR 

• Communication 

• User Awareness 

• Education 

• Online Resources 

Documentation 

• Standards and Guidelines 

• Systems Architecture 

• Change Documentation 

• Logs and Inventories 

• Classification 

> Notification 

• Retention/Storage 

• Destruction 


Table 5. Laptop Solutions, Security Certification Exam Training Course. From Ref. [8] 
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APPENDIX E - PROPOSED ISATP MATERIAL OUTLINE 


1. Introduction to Information Assurance 
I.I.INFOSEC & COMPUSEC 

1.2.Sensitive Data Definition 
1.3.Importance of Security 

1.4. The Meaning of “Secure” 

1.5. Vulnerabilities (and why systems have so many) 

1.6. Threats 

1.7. Countermeasures 

1.5. Polieies 
1.9. Assurance 

2. Network Fundamentals 

2.1. Network Types 

2.1.1. LANs 

2.1.2. WANs 

2.2. Network Topologies 

2.2.1. Contention-Based (Bus) 

2.2.2. Ring 

2.2.3. Switched 

2.3. Network Devices 

2.3.1. Hubs 

2.3.2. Switches 

2.3.3. Routers 

2.4.Important Layer 3/4 Network Protocols 

2.4.1. IP 

2.4.2. TCP 

2.4.3. UDP 

2.4.4. ICMP 

2.5. How Packets Get Routed 

3. Computer System Security and Access Controls 

3.1. System Aeeess Control 

3.1.1. Identification & Authentication 

3.1.1.1. Something you know 

3.1.1.2. Something you have 

3.1.1.3. Something you are 

3.1.1.4. Multiple Faetor Authentieation 
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3.1.2. Passwords 

3.1.2.1. Password Attacks 

3.1.2.2. Password Selection 

3.1.2.3. Password Protection 

3.2. Data Access Controls 

3.2.1. Discretionary Access Control 

3.2.2. Mandatory Access Control 

3.2.3. Access Control List 

3.3. Access Control Models 

3.3.1. Bell & Lapadula Model 

3.3.2. Biba Model 

3.3.3. Clark-Wilson Model 

3.3.4. Take-Grant Model 

4. Types Of Attacks 

4.1. Probes and Scans 

4.2. Account Compromise 

4.3. Packet Sniffing 

4.4. Denial of Service 

4.5. Spoofing 

4.6. Malicious Software “Malware” 

4.6.1. Viruses 

4.6.2. Worms 

4.6.3. Trojan Horses 

4.6.4. Protecting Against 

4.7. Social Engineering 

5. Intrusion Detection 

5.1. Network Based 

5.2. Host Based 

5.3. Passive Response 

5.4. Active Response (IDP) 

6. Traffic Filtering (Firewalls) 

6.1. Types of Firewalls 

6.1.1. Stateless 

6.1.2. Stateful 

6.1.3. Dynamic 

6.1.4. Proxy Based 

6.1.5. Network Based 
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6.1.6. Host Based (Personal) 

6.2. Firewall Configurations 

7. Cryptography 

7.1. Algorithms 

7.1.1. Symmetric (Secret Key) 

7.1.1.1. DES/3DES 

7.1.1.2. AES 

7.1.2. Asymmetric (Public Key) 

7.1.2.1. RSA 

7.1.2.2. Elliptic Curve. 

7.1.3. Hashing 

7.2. PKI 

7.2.1. Digital Certificates 

7.2.2. Digital Signatures 

7.2.3. PGP 

8. Steganography 

9. System Hardening 

9.1. Patches 

9.2. Principle of Least Privilege Configuration 

10. Redundancy/Duplication Protection 

10.1. Data Backups and Types 

10.1.1. Full 

10.1.2. Sequential 

10.1.3. Differential 

10.2. Redundant Systems 

11. E-mail Security 

12. Laptop\ PDA Security 

13. Modem Security 
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